Instagram private profiles server-side authorization failure security flaw
Vulnerability
Summary
Hide ▲
Show ▼
A server-side authorization failure in Instagram private profiles exposed links to private photos in HTML responses, allowing unauthenticated visitors to reach content that should have stayed behind the follower gate. Meta reportedly fixed the issue after a disclosure submitted as early as October 12, 2025, and the exploit stopped working around October 16. The researcher said a proof-of-concept showed the leak and that at least 28% of his private test profiles returned photo links.
Related Happenings
Instagram account data exposed through Meta HTS recovery flaw
Data Leak
H score40
First: 08.06.2026 11:00
Last: 08.06.2026 11:00
Sources 1
About this happening:
**Instagram account data** was exposed after a flaw in **Meta’s High Touch Support (HTS)** recovery flow let unauthorized third parties receive password reset links for **20,225 a...
Instagram account data exposed through Meta HTS recovery flaw
Data LeakAbout this happening: **Instagram account data** was exposed after a flaw in **Meta’s High Touch Support (HTS)** recovery flow let unauthorized third parties receive password reset links for **20,225 a...
Instagram High Touch Support password reset security flaw
Vulnerability
H score40
First: 08.06.2026 09:00
Last: 08.06.2026 09:00
Sources 1
About this happening:
**Meta's High Touch Support (HTS)** flaw enabled attackers to trigger **Instagram password resets**, creating account-takeover risk for **over 20,000 users** and weakening protect...
Instagram High Touch Support password reset security flaw
VulnerabilityAbout this happening: **Meta's High Touch Support (HTS)** flaw enabled attackers to trigger **Instagram password resets**, creating account-takeover risk for **over 20,000 users** and weakening protect...
Meta AI-powered support tools abused in Instagram account recovery flow
Security Tool/Service
H score26
First: 02.06.2026 18:47
Last: 02.06.2026 18:47
Sources 1
About this happening:
**Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...
Meta AI-powered support tools abused in Instagram account recovery flow
Security Tool/ServiceAbout this happening: **Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...
U.S. Supreme Court hit by network compromise
Incident
H score28
First: 19.01.2026 18:04
Last: 19.01.2026 18:04
Sources 1
About this happening:
The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...
U.S. Supreme Court hit by network compromise
IncidentAbout this happening: The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...
BitB phishing campaign targeting Facebook users
Campaign
H score38
First: 12.01.2026 23:05
Last: 12.01.2026 23:05
Sources 1
About this happening:
A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
BitB phishing campaign targeting Facebook users
CampaignAbout this happening: A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
Timeline
-
31.01.2026 16:27 1 articles · 5mo ago
Instagram private-profile leak reported to Meta
Initial DisclosureJatin Banga submitted findings to Meta about Instagram private profiles exposing links to private photos in HTML responses when accessed from certain mobile devices.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
-
31.01.2026 16:27 1 articles · 5mo ago
Instagram private-profile leak stops working
Mitigation Patch UpdateThe Instagram private-profile leak stopped working on tested accounts around October 16, 2025 after Meta changed the service, although Meta later closed the case as "not applicable" and did not confirm the root cause.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
-
31.01.2026 16:27 2 articles · 5mo ago
Public evidence documents the Instagram leak
Technical Analysis UpdateDisclosure materials documented a proof-of-concept video, a GitHub repository, encoded CDN links inside the polaris_timeline_connection JSON object, and test results showing at least 28% of private test profiles returned links to private photos; the correspondence also records Meta triage language that an unreproducible issue might have been fixed as an unintended side effect.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27