Meta has fixed a critical bug in Instagram’s password reset system that briefly exposed users’ email addresses and phone numbers through the platform’s account recovery process.
The issue was discovered on June 6, 2026, and affected Instagram’s web-based password reset flow. According to security researchers, the bug caused Instagram to display full email addresses and phone numbers linked to an account instead of showing partially hidden information as intended.
Normally, Instagram masks recovery details during the password reset process. For example, users would see something like “m***@example.com” rather than the full email address. However, due to a logic flaw, the system reportedly revealed complete contact information for affected accounts.
The vulnerability gained significant attention after screenshots demonstrating the issue were shared on social media. Some of the screenshots showed recovery information linked to high-profile accounts, including Meta CEO Mark Zuckerberg’s Instagram account.
Security researchers explained that the flaw could be triggered simply by initiating a password reset request for a username. Instead of returning redacted recovery options, the system displayed full email addresses and phone numbers associated with the account.
Shortly after the issue became public, Meta rolled out an emergency fix to prevent further exposure.
In a statement, the company said it had fixed an issue that allowed an external party to request password reset emails for some Instagram users. Meta also stated that there was no breach of its systems.
Researchers noted that the bug was a logic error within the password reset process and not the result of a server breach or compromised credentials. There is currently no evidence that attackers gained unauthorized access to Instagram’s internal systems.
Although Meta says no widespread data theft occurred, security experts warned that even temporary exposure of recovery information can create risks. Attackers could potentially use exposed email addresses and phone numbers in phishing campaigns, SIM-swapping attempts, or other account takeover attacks. The information could also help cybercriminals connect multiple online accounts belonging to the same user.
The incident adds to a growing list of security concerns involving Instagram and Meta platforms this year. Earlier in 2026, Instagram faced criticism over a separate password reset abuse issue that allowed large numbers of reset emails to be triggered. Reports also emerged around the same time regarding an alleged leak of millions of Instagram user records on dark web forums.
More recently, another security issue involving Meta’s AI-powered support chatbot reportedly allowed attackers to manipulate account recovery processes for several high-profile accounts.
Security researchers say these incidents highlight the importance of strong safeguards around account recovery systems. Features that handle password resets and identity verification are often targeted by attackers because they can provide a path into user accounts even when passwords remain secure.
Meta has not assigned a public CVE identifier to the Instagram password reset flaw at the time of writing. The company has also not disclosed how many users may have been affected before the issue was patched.
Users are advised to ensure two-factor authentication is enabled on their Instagram accounts and remain cautious of unexpected emails, messages, or calls claiming to be from Instagram or Meta.
