A critical logic bug in Instagram’s web-based password reset flow on June 6, 2026, exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez.

Instagram’s parent company Meta deployed an emergency hotfix within hours of the disclosure, but not before proof-of-concept screenshots circulated widely on social media, demonstrating the scope of the vulnerability.

The vulnerability resided in Instagram’s web-based password reset interface, where the account recovery screen, designed to display only partially redacted recovery options, failed to properly mask sensitive contact data before presenting it to the requesting party.

Researchers discovered that by initiating a standard password reset for any given username, the response returned fully visible email addresses and phone numbers rather than the partially obscured versions Instagram normally shows (e.g., m***@fb.com).

Proof-of-concept screenshots shared by security community accounts, including @vxunderground, showed login screens for accounts such as zuck revealing multiple associated emails alongside a linked phone number. This constitutes a direct violation of Meta’s data minimization policies and potentially GDPR Article 25 obligations around privacy by design.

The bug was first spotted and publicly demonstrated on June 6, 2026, by security researchers monitoring Meta’s account recovery infrastructure.

Within hours of the demonstrations going viral, security researcher @Scot0xo confirmed on X that the flaw was a logic bug in the web reset flow, not an API credential leak or server-side breach that leaked sensitive account data before Meta responded with a targeted emergency hotfix.

Meta confirmed the patch was applied rapidly, echoing its standard response posture: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.”

This incident is the latest in a string of Instagram security issues in 2026. In January, a similar password reset abuse allowed third parties to trigger reset emails en masse, coinciding with the alleged leak of 17.5 million Instagram user records on dark web forums.

In early June, a separate vulnerability in Meta’s AI-powered support chatbot was exploited by threat actors who used prompt injection to hijack high-profile accounts, including the White House archive page and U.S. Space Force accounts, by convincing the bot to link target accounts to attacker-controlled email addresses.

Security researchers have attributed the increasing frequency of these failures partly to architectural decisions around AI-driven automation of sensitive account functions, noting that granting AI systems privileged access to account recovery without robust identity verification creates systemic risk.

Meta confirmed that no widespread data exfiltration occurred in the June 6 incident. However, even brief exposure of unredacted account recovery data creates meaningful risk for phishing, SIM-swapping, and targeted account takeover attacks. The enumeration of multiple email addresses tied to a single account could also help adversaries map identity infrastructure across services.

Meta has not disclosed a CVE identifier for this logic flaw as of publication time. Users and security teams should continue monitoring Meta’s security advisories for further disclosure details.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.