Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers

On June 6, 2026 a logic bug in Instagram’s web password-reset interface caused account recovery responses to display fully unredacted email addresses and phone numbers tied to usernames, with proof-of-concept screenshots circulating publicly (including for high-profile accounts). Meta rolled out an emergency hotfix within hours and stated there was no breach, but the brief exposure of PII elevated risk of phishing, SIM-swapping, and targeted account takeover and highlights systemic risks from automating sensitive account functions.