Find notable cyber news and cases, enriched with sources, timelines, and signals.

Instagram private profiles server-side authorization failure security flaw

Vulnerability
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

A server-side authorization failure in Instagram private profiles exposed links to private photos in HTML responses, allowing unauthenticated visitors to reach content that should have stayed behind the follower gate. Meta reportedly fixed the issue after a disclosure submitted as early as October 12, 2025, and the exploit stopped working around October 16. The researcher said a proof-of-concept showed the leak and that at least 28% of his private test profiles returned photo links.

Related Happenings

Instagram account data exposed through Meta HTS recovery flaw

Data Leak
H score40 First: 08.06.2026 11:00 Last: 08.06.2026 11:00 Sources 1

About this happening: **Instagram account data** was exposed after a flaw in **Meta’s High Touch Support (HTS)** recovery flow let unauthorized third parties receive password reset links for **20,225 a...

Instagram High Touch Support password reset security flaw

Vulnerability
H score40 First: 08.06.2026 09:00 Last: 08.06.2026 09:00 Sources 1

About this happening: **Meta's High Touch Support (HTS)** flaw enabled attackers to trigger **Instagram password resets**, creating account-takeover risk for **over 20,000 users** and weakening protect...

Meta AI-powered support tools abused in Instagram account recovery flow

Security Tool/Service
H score26 First: 02.06.2026 18:47 Last: 02.06.2026 18:47 Sources 1

About this happening: **Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...

U.S. Supreme Court hit by network compromise

Incident
H score28 First: 19.01.2026 18:04 Last: 19.01.2026 18:04 Sources 1

About this happening: The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...

BitB phishing campaign targeting Facebook users

Campaign
H score38 First: 12.01.2026 23:05 Last: 12.01.2026 23:05 Sources 1

About this happening: A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...

Timeline

  1. 31.01.2026 16:27 1 articles · 5mo ago

    Instagram private-profile leak stops working

    Mitigation Patch Update

    The Instagram private-profile leak stopped working on tested accounts around October 16, 2025 after Meta changed the service, although Meta later closed the case as "not applicable" and did not confirm the root cause.

    Show sources
  2. 31.01.2026 16:27 2 articles · 5mo ago

    Public evidence documents the Instagram leak

    Technical Analysis Update

    Disclosure materials documented a proof-of-concept video, a GitHub repository, encoded CDN links inside the polaris_timeline_connection JSON object, and test results showing at least 28% of private test profiles returned links to private photos; the correspondence also records Meta triage language that an unreproducible issue might have been fixed as an unintended side effect.

    Show sources