Instagram’s Password Reset Flaw Exposes User Emails and Phone Numbers
On June 6, 2026, a significant security vulnerability was identified in Instagram’s web-based password reset mechanism, leading to the unintentional exposure of users’ email addresses and phone numbers. This flaw affected numerous accounts, including those of high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez.
The issue originated from a logic error within Instagram’s password reset interface. Typically, when users initiate a password reset, the platform displays partially redacted contact information to verify the account owner. However, due to this flaw, the system failed to mask these details appropriately, revealing full email addresses and phone numbers associated with the accounts.
Security researchers discovered that by entering a username into the password reset field, the system would return unredacted contact information. Proof-of-concept screenshots circulated on social media platforms, showcasing the vulnerability’s extent. For instance, the account recovery screen for the username zuck displayed multiple associated email addresses and a linked phone number without any obfuscation.
This exposure is particularly concerning as it directly violates Meta’s data minimization policies and potentially breaches regulations like the General Data Protection Regulation (GDPR), which mandates privacy by design and default.
The vulnerability was first reported on June 6, 2026, by security researchers monitoring Meta’s account recovery infrastructure. Within hours of the public disclosure, Meta’s security team deployed an emergency hotfix to address the issue. In a statement, Meta confirmed the rapid response, stating, We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.
This incident is the latest in a series of security challenges for Instagram in 2026. Earlier in January, a similar flaw allowed third parties to trigger password reset emails en masse, coinciding with the alleged leak of 17.5 million Instagram user records on dark web forums. Additionally, in early June, a separate vulnerability in Meta’s AI-powered support chatbot was exploited by threat actors to hijack high-profile accounts, including those of the White House archive page and the U.S. Space Force.
These recurring security issues underscore the importance of robust security measures and prompt responses to vulnerabilities. Users are advised to remain vigilant, enable two-factor authentication, and monitor their accounts for any suspicious activity.
