Instagram korrigiert Sicherheitslücke bei Passwort-Reset, die E-Mail-Adressen und Telefonnummern preisgab

Researchers discovered that a standard password reset for any given username, the response returned fully visible email addresses and phone numbers rather than the partially obscured versions Instagram normally shows (e.g., m***@fb.com ).

Proof-of-concept screenshots shared, including @vxunderground, showed login screens for accounts such as zuck revealing multiple associated emails alongside a linked phone number.

This constitutes a direct violation of Meta’s data minimization policies and potentially GDPR Article 25 obligations around privacy first spotted and publicly demonstrated on June 6, 2026, ’s account recovery infrastructure.

Technischer Hintergrund

Within hours of the demonstrations going viral, security researcher @Scot0xo confirmed on X that the flaw was a logic bug in the web reset flow, not an API credential leak or server-side breach that leaked sensitive account data before Meta responded with a targeted emergency hotfix.

Meta confirmed the patch was applied rapidly, echoing its standard response posture: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.” This incident is the latest in a string of Instagram security issues in 2026.

In January, a similar password reset abuse allowed third parties to trigger reset emails en masse, coinciding with the alleged leak of 17.5 million Instagram user records on dark web forums.

Sicherheitslage und Risiko

In early June, a separate vulnerability in Meta’s AI-powered support chatbot was exploited prompt injection to hijack high-profile accounts, including the White House archive page and U.S. Space Force accounts, link target accounts to attacker-controlled email addresses.

Security researchers have attributed the increasing frequency of these failures partly to architectural decisions around AI-driven automation of sensitive account functions, noting that granting AI systems privileged access to account recovery without robust identity verification creates systemic risk.

Meta confirmed that no widespread data exfiltration occurred in the June 6 incident. However, even brief exposure of unredacted account recovery data creates meaningful risk for phishing, SIM-swapping, and targeted account takeover attacks.

The enumeration of multiple email addresses tied to a single account could also help adversaries map identity infrastructure across services. Meta has not disclosed a CVE identifier for this logic flaw as of publication time. Users and security teams should continue monitoring Meta’s security advisories for further disclosure details.