# Instagram Password Reset Bug Exposes User Data

*Published June 8, 2026*
*Source: [https://cybersecuritynews.com/instagram-password-reset-user-phone/](https://cybersecuritynews.com/instagram-password-reset-user-phone/)*

## Executive Summary

A critical flaw in Instagram's password reset process exposed full email addresses and phone numbers of users, including high-profile accounts. Meta quickly deployed a hotfix, but the incident highlights ongoing security challenges and risks of phishing and account takeovers.

## Article

On June 6, 2026, a significant security flaw in Instagram's web-based password reset process exposed full email addresses and phone numbers associated with user accounts. This vulnerability affected numerous accounts, including those of high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez. The issue originated in the account recovery screen, which failed to properly redact sensitive contact information, displaying it in full to users initiating a password reset. Researchers demonstrated that by starting a password reset for any username, the system revealed complete email addresses and phone numbers instead of the expected partially obscured versions. 

Proof-of-concept screenshots quickly spread on social media, leading to widespread awareness of the flaw. Meta, Instagram's parent company, responded swiftly with an emergency hotfix within hours of the vulnerability's disclosure. Security researcher @Scot0xo confirmed that the issue was a logic bug in the web reset flow, not an API credential leak or server-side breach. Meta stated that while there was no breach of systems, the flaw allowed external parties to request password reset emails, briefly exposing sensitive data and presenting risks such as phishing and account takeover attacks. 

This incident is part of a series of security challenges Instagram has faced in 2026. Earlier in the year, a similar password reset issue led to the mass triggering of reset emails and the alleged leak of millions of user records. A separate vulnerability allowed threat actors to exploit Meta's AI-powered support chatbot, hijacking high-profile accounts. Researchers have pointed to the architectural decisions around AI-driven automation of sensitive functions as contributing factors to these failures. Meta has yet to assign a CVE identifier for this recent flaw and advises users to keep monitoring security advisories for further updates.