Instagram recently patched a significant security flaw that compromised user data during the password reset process. On June 6, 2026, a vulnerability in the web-based interface revealed unredacted email addresses and phone numbers of Instagram users, including public figures like Meta’s CEO Mark Zuckerberg and model Georgina Rodriguez.
Swift Response by Meta
Meta, Instagram’s parent company, acted promptly with an emergency hotfix to address the issue. This action came after proof-of-concept images showcasing the vulnerability circulated across social media platforms, highlighting the gravity of the situation.
The flaw was found in Instagram’s password reset screen, which failed to mask sensitive information, allowing full visibility of email addresses and phone numbers. Normally, such data would be partially obscured, adhering to Meta’s data protection policies.
Discovery and Public Demonstration
Security researchers identified this flaw and demonstrated it publicly on June 6, revealing how initiating a password reset could expose sensitive contact details. Accounts like @vxunderground shared images of this breach, showing personal information from high-profile accounts.
Researcher @Scot0xo later confirmed the issue was rooted in a logic bug within the web reset flow, not due to an API credential leak or a server breach, underscoring the importance of Meta’s rapid response.
Ongoing Security Challenges
This incident is part of a series of security challenges for Instagram in 2026. Earlier in the year, similar vulnerabilities allowed mass password reset emails, and a flaw in Meta’s AI support chatbot led to account hijackings.
Experts attribute these issues to automated systems managing sensitive account operations without robust identity verification, increasing systemic risk. Despite no widespread data exfiltration in the latest incident, the exposure poses risks for phishing and account takeovers.
Meta has yet to assign a CVE identifier to this flaw. Users and security teams should stay attentive to Meta’s advisories for further information.
Stay updated by following us on Google News, LinkedIn, and X.
