An unexpected incident occurred on 6 June 2026 when, reportedly, a security flaw at Instagram briefly exposed private data of top users, including Meta head Mark Zuckerberg and several others.
The issue was reportedly found in Instagram’s website tool that people use when they forget their passwords and need to reset them. The exposed data included personal phone numbers and email addresses of the impacted personalities.
Normally, when someone tries to reset a password, Instagram hides most of the contact details. For example, it might show an email as m***@fb.com to protect the owner.
However, a glitch in the website’s code stopped this hiding process from working. Anyone who typed in a username could see the full, real email addresses and phone numbers connected to that account.
Pictures showing the vulnerability working spread quickly on social media as several accounts shared images of Mark Zuckerberg ’s login screen, which showed his private emails and phone number.
Meta is still having some minor security problems. Instagram is currently exposing phone numbers and email addresses associated with accounts when trying to perform a password reset This is cool and badass because everyone is sharing Mark Zuckerbergs phone number right now
International Cyber Digest, a cybersecurity feed on X, posted about the flaw, which exposed football star Kylian Mbappé’s hidden TikTok account. The account was not publicly linked to his official identity or public brand.
Preliminary investigation revealed the issue was a logic bug, and there was no indication of hackers infiltrating Meta’s main servers to steal data. A logic bug means it was an error in how the website was programmed to think.
Meta hasn’t given the flaw an official CVE tracking name yet. However, experts say showing this data breaks Meta’s own rules and might break European GDPR Article 25 privacy laws.
One X user criticized the company, writing that this newest leak “is what happens when you fire the experts and rely on brain-dead AI to run core infrastructure.”
This isn’t the first safety issue for Instagram this year because in January 2026, there was another incident where scammers abused its password system to send out millions of fake emails. Around the same time, lists containing 17.5 million user records were allegedly leaked on dark web forums.
In another event this June, threat actors used prompt injection to trick Meta’s AI customer service chatbot . By feeding the AI confusing instructions, they hijacked top accounts, including pages for the White House archive and the US Space Force.
Regarding the Instagram password-reset flaw, Meta, Instagram’s owner, acted fast and implemented an emergency fix within a few hours to stop the leak. “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems,” the company released this statement.
However, there’s still a question mark over its data safety rules. While the company says no data was stolen en masse, exposure of these details brings bad consequences. Scammers can use full phone numbers and emails for phishing scams, SIM-swapping attacks to steal phone lines, or to identify a target’s other online accounts.
Your email address will not be published. Required fields are marked *