Instagram suffered a brief but significant security incident on June 6, 2026, when a programming error in its password reset system exposed the full contact details of users attempting to recover their accounts. The flaw affected high-profile individuals including Meta CEO Mark Zuckerberg and footballer Kylian Mbappé, whose private phone numbers and email addresses became visible to anyone who entered their usernames into the reset tool. Meta implemented an emergency fix within hours of the issue being reported on social media.
The vulnerability stemmed from a logic bug in Instagram's password reset mechanism. Under normal operation, the system masks contact information by displaying only partial details, such as showing an email address as m***@fb.com. However, the coding error disabled this protection, allowing the full, unredacted contact information to appear on screen. Screenshots of the exposed data, including Zuckerberg's login screen, circulated widely on social media platforms before Meta could contain the issue.
Security researchers have classified this as a logic flaw rather than a system breach, meaning no external attackers penetrated Meta's infrastructure to extract data. The bug revealed information that was already associated with user accounts but should have remained hidden during the password reset process. The incident also exposed previously unknown accounts, including what appears to be Mbappé's private TikTok profile not linked to his public identity. Meta has not yet assigned a CVE identifier to track this vulnerability formally.
The exposure raises compliance concerns under European data protection regulations, specifically GDPR Article 25, which requires privacy by design and default in systems handling personal data. While Meta maintains that no mass data theft occurred, the temporary visibility of contact details creates security risks for affected users. Exposed phone numbers and email addresses can be exploited for phishing campaigns, SIM-swapping attacks that hijack phone services, or cross-referencing to identify other online accounts belonging to the targets.
This incident adds to a troubling pattern of security issues at Instagram in 2026. In January, scammers exploited the password system to distribute millions of fraudulent emails, and approximately 17.5 million user records allegedly appeared on dark web forums. More recently in June, attackers used prompt injection techniques to compromise Meta's AI customer service chatbot, gaining control of high-profile accounts including the White House archive and US Space Force pages. Organizations and individuals using Instagram should review their account security settings, enable two-factor authentication using authenticator apps rather than SMS, and monitor for suspicious activity following this exposure.
Source https://hackread.com/instagram-glitch-leaks-contact-info-mark-zuckerberg-users/