Instagram Password Reset Bug Reportedly Exposed Emails and Phone Numbers Before Fix
8 min. read 
Published on
Instagram reportedly fixed a password reset flaw that exposed unredacted recovery details, including email addresses and phone numbers, through its web-based account recovery flow.
The issue surfaced on June 6, 2026, when screenshots shared by security-focused accounts showed Instagram’s reset page displaying full contact details instead of masked recovery options. A Hackread report said the exposed data appeared during the password reset process and included contact information linked to high-profile accounts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The flaw was different from a full database breach. It centered on account recovery logic, where a page meant to help users confirm their recovery options allegedly revealed more information than it should have shown.
Instagram reset flow exposed more data than expected
Password reset pages usually show only partial recovery details. For example, a service may display a few letters of an email address or the last digits of a phone number so the real account owner can recognize the option without exposing the full contact detail.
In this case, the web reset screen reportedly displayed full email addresses and phone numbers. The Instagram glitch did not require attackers to break into an account first, which made the exposure especially sensitive for public figures, creators, journalists, and business users.
Meta has not published a CVE for the reported June 6 masking issue. The company also has not released a detailed public technical advisory for that specific reset-page exposure.
| Issue | What happened | Main risk |
|---|---|---|
| Reported web reset masking bug | Recovery contact details appeared without normal redaction | Phishing, SIM-swapping, and targeted harassment |
| Confirmed HTS recovery-tool flaw | Password reset links were sent to email addresses not tied to the target account | Account takeover for users without 2FA |
| January password reset incident | Third parties could trigger password reset emails for some users | User confusion and data breach fears |
Meta also confirmed a separate Instagram recovery flaw
The password reset concern arrived days after Meta confirmed a separate Instagram account recovery incident involving its AI-assisted High Touch Support tool. According to BleepingComputer, Meta said 20,225 Instagram users had their accounts hijacked after attackers abused the recovery system to reset passwords.
The confirmed flaw involved a validation failure. The support tool did not properly check whether the email address supplied during recovery matched the email address already attached to the Instagram account.
A The Verge report said Meta linked the incident to a Maine breach notice and said attackers could receive password reset links for accounts they did not own. Accounts without two-factor authentication faced the greatest risk.
High-profile Instagram accounts were targeted
The recent Instagram recovery issues drew attention because some high-profile accounts were reportedly affected. KrebsOnSecurity reported on June 1 that attackers abused Meta’s AI support assistant to seize Instagram accounts, including accounts linked to major brands and public institutions.
Attackers in that incident allegedly convinced the support workflow to connect a target account to an attacker-controlled email address. Once that happened, the attacker could request a password reset and take control if the account lacked stronger authentication.
The KrebsOnSecurity report also highlighted a broader concern: AI-based account support can create new risk when automated systems handle sensitive recovery actions without strong identity checks.
- The June 6 issue reportedly exposed recovery contact data through the web reset page.
- The confirmed HTS issue allowed password reset links to go to unlinked email addresses.
- Users without two-factor authentication faced higher account takeover risk in the HTS incident.
- Meta said it disabled the abused support tool and secured affected accounts.
Why exposed recovery details matter
Email addresses and phone numbers can help attackers build convincing phishing campaigns. They can also support SIM-swapping attempts, credential stuffing, and identity mapping across multiple platforms.
That is why password reset pages normally mask recovery information. A small hint can help legitimate users identify the right recovery option, but full contact details can help attackers target the account owner outside Instagram.
Meta’s confirmed HTS incident also shows the danger of weak checks in account recovery systems. BleepingComputer’s coverage said the attackers could have accessed contact information, dates of birth, posts, direct messages, account activity, profile details, and connected accounts after taking over affected accounts.
Instagram faced reset-related security concerns earlier this year
Instagram also dealt with a password reset problem in January 2026. The Register reported that Meta fixed an issue that allowed an external party to request password reset emails for some Instagram users.
At the time, Meta said there had been no breach of its systems and told users they could ignore the unexpected password reset emails. The January case created confusion because it appeared alongside separate claims about a large Instagram user dataset.
The new incidents place more pressure on Meta’s account recovery systems. Instagram users depend on recovery flows when they lose access, but those same flows become attractive targets if attackers can extract contact details or redirect reset links.
| User action | Why it helps |
|---|---|
| Enable two-factor authentication | Adds a second step that can block many password reset takeover attempts |
| Review account emails and phone numbers | Removes outdated recovery details that could create account recovery risk |
| Check login activity | Helps spot unfamiliar sessions before attackers make deeper changes |
| Use a unique password | Reduces the risk from password reuse across breached services |
What Instagram users should do now
Instagram users should review their account security settings, especially if they recently received unexpected password reset emails or noticed unusual login alerts. Instagram’s official guide for two-factor authentication explains how users can add an extra login step to protect their accounts.
Users should also confirm that their recovery email address and phone number are current. Instagram’s account security guidance recommends using a strong password, enabling 2FA, and watching for suspicious emails, messages, and login attempts.
If an account may already be compromised, users should use Instagram’s official hacked-account recovery page. The Instagram hacked account guide explains how users can request help, check recovery steps, and regain control of an affected profile.
Why this matters beyond Instagram
Account recovery has become one of the most sensitive parts of any social platform. It must help real users get back into locked accounts, but it must also stop attackers who know only a username, email hint, or phone number.
The June incidents show how small logic errors can have large consequences. A masking failure can expose personal contact details, while a reset validation failure can let attackers take over accounts without stealing a password.
For Instagram users, the practical advice remains simple: enable 2FA on Instagram, keep recovery details private and updated, and treat unexpected password reset messages as a warning sign. For Meta, the incidents show why recovery flows need stricter testing, tighter monitoring, and more human review when high-risk changes affect account ownership.
Anyone who sees unfamiliar activity should follow Instagram’s hacked account instructions and review the platform’s security recommendations before making further account changes.
The The Verge noted that Meta disabled the affected AI support tool, removed the faulty code path, invalidated reset links, and placed potentially affected accounts behind a mandatory security checkpoint. That response addressed the confirmed HTS flaw, but the reported web reset exposure shows that account recovery remains a high-risk area for Instagram.
The earlier January incident covered by The Register adds more context. Instagram has now faced multiple reset-related security concerns in 2026, and users should treat recovery emails, contact detail prompts, and login alerts with extra caution.
FAQ
The reported flaw affected Instagram’s web password reset flow and allegedly showed full recovery contact details, such as email addresses and phone numbers, instead of masking them. Meta has not published a CVE for that specific reported masking issue.
There is no public evidence that the reported reset-page masking issue exposed Instagram passwords. The risk centered on exposed recovery contact details, which can help attackers with phishing, SIM-swapping, or targeted account takeover attempts.
The reported June 6 issue involved exposed recovery contact information on the web reset page. The confirmed Meta AI support incident involved a separate account recovery tool that sent password reset links to email addresses not linked to the target Instagram account, affecting 20,225 users.
Instagram users should enable two-factor authentication, review account recovery email addresses and phone numbers, check login activity, remove unfamiliar linked accounts, and treat unexpected password reset emails as suspicious.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages