Instagram, TikTok and White House: Instagram Glitch Reportedly Exposed Contact Info of Zuckerberg and Other Users

Instagram, TikTok and White House: Instagram Glitch Reportedly Exposed Contact Info of Zuckerberg and Other Users

Instagram Password Reset Flaw Briefly Exposed Private Data of High-Profile Users

On 6 June 2026, a security flaw in Instagram’s password reset tool temporarily exposed the private email addresses and phone numbers of high-profile users, including Meta CEO Mark Zuckerberg and football star Kylian Mbappé. The vulnerability stemmed from a logic bug in the website’s code, which failed to mask sensitive contact details during password reset requests displaying full information instead of the usual redacted format (e.g., m@fb.com*).

The issue gained widespread attention after screenshots of Zuckerberg’s exposed details circulated on social media, with cybersecurity accounts like vx-underground and International Cyber Digest highlighting the flaw. The latter also revealed that Mbappé’s hidden TikTok account, not publicly linked to his identity, was compromised in the same incident.

Meta confirmed the bug was not the result of a system breach but rather a programming error. The company deployed an emergency fix within hours, stating that no mass data theft occurred. However, experts noted the exposure violated Meta’s own privacy policies and could potentially breach EU GDPR Article 25, which mandates data protection by design.

The incident underscores broader security challenges for Instagram, which has faced multiple issues in 2026. In January, scammers exploited its password system to send millions of fake emails, while a separate dark web leak allegedly exposed 17.5 million user records. Earlier this month, threat actors also hijacked high-profile accounts, including those of the White House archive and US Space Force, by manipulating Meta’s AI customer service chatbot through prompt injection attacks.

While Meta emphasized that the password reset flaw was contained, the exposure of sensitive details raises risks of phishing, SIM-swapping, and targeted account takeovers. No CVE tracking number has been assigned to the vulnerability as of reporting.

Source: https://hackread.com/instagram-glitch-leaks-contact-info-mark-zuckerberg-users/

Instagram TPRM report: https://www.rankiteo.com/company/instagram

TikTok TPRM report: https://www.rankiteo.com/company/tiktok

White House TPRM report: https://www.rankiteo.com/company/whitespider

"id": "whitikins1780922089",
"linkid": "whitespider, tiktok, instagram",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'High-profile users including '
                                              'Mark Zuckerberg and Kylian '
                                              'Mbappé',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Meta (Instagram)',
                        'size': 'Large',
                        'type': 'Social Media Platform'}],
 'attack_vector': 'Logic Bug in Password Reset Tool',
 'customer_advisories': 'Public confirmation of the bug and reassurance that '
                        'no mass data theft occurred',
 'data_breach': {'data_exfiltration': 'No mass data theft occurred',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Private email addresses and '
                                             'phone numbers'},
 'date_detected': '2026-06-06',
 'date_publicly_disclosed': '2026-06-06',
 'description': 'A security flaw in Instagram’s password reset tool '
                'temporarily exposed the private email addresses and phone '
                'numbers of high-profile users, including Meta CEO Mark '
                'Zuckerberg and football star Kylian Mbappé. The vulnerability '
                'stemmed from a logic bug in the website’s code, which failed '
                'to mask sensitive contact details during password reset '
                'requests.',
 'impact': {'brand_reputation_impact': 'High',
            'data_compromised': 'Private email addresses and phone numbers',
            'identity_theft_risk': 'Phishing, SIM-swapping, targeted account '
                                   'takeovers',
            'legal_liabilities': 'Potential breach of EU GDPR Article 25',
            'systems_affected': 'Instagram password reset tool'},
 'investigation_status': 'Resolved (bug fixed)',
 'lessons_learned': 'The incident underscores broader security challenges for '
                    'Instagram, highlighting the need for stricter data '
                    'protection measures in password reset tools and adherence '
                    'to privacy-by-design principles.',
 'post_incident_analysis': {'corrective_actions': 'Emergency fix to mask '
                                                  'sensitive contact details '
                                                  'during password reset '
                                                  'requests',
                            'root_causes': 'Logic bug in Instagram’s password '
                                           'reset tool code'},
 'references': [{'source': 'vx-underground'},
                {'source': 'International Cyber Digest'}],
 'regulatory_compliance': {'regulations_violated': ['EU GDPR Article 25']},
 'response': {'communication_strategy': 'Public confirmation of the bug and '
                                        'reassurance that no mass data theft '
                                        'occurred',
              'containment_measures': 'Emergency fix deployed within hours',
              'remediation_measures': 'Bug fix to mask sensitive contact '
                                      'details'},
 'title': 'Instagram Password Reset Flaw Briefly Exposed Private Data of '
          'High-Profile Users',
 'type': 'Data Exposure',
 'vulnerability_exploited': 'Failure to mask sensitive contact details during '
                            'password reset requests'}
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.