Researchers have found a second security bug in a popular social media app — barely a week after an earlier high-profile incident.

Barely a week after a separate AI-assisted account takeover campaign where even Barack Obama’s inactive White House account had been compromised, Meta is facing fresh scrutiny after researchers disclosed a second flaw in Instagram.

This time, the flaw involves a password reset bug that had exposed user contact details in plain text. The issue reportedly affected Instagram’s web-based recovery flow and briefly revealed email addresses and phone numbers that are normally masked, including contact information tied to the account “zuck”, which is widely associated with Mark Zuckerberg.

The newly reported bug appears to have been a logic error in how Instagram handles password-reset requests. According to security reports, a standard reset request for a username could return fully visible recovery information instead of the redacted version users would ordinarily see, turning a routine account-help screen into a privacy leak. Proof-of-concept screenshots circulated by security accounts showed the sensitive data before Meta moved to patch the flaw.

The disclosure follows days after hackers said they had used Meta’s AI support chatbot to seize control of high-profile Instagram accounts by manipulating the account-recovery process. Meta said it had fixed the chatbot-related problem and was securing affected accounts, but the incidents have raised broader questions about how much authority AI systems should have over sensitive administrative functions.

Security reporting by the BBC on the breach had warned that the chatbot could be steered into actions that normally require stronger identity checks, highlighting the risks of giving automated support tools direct access to account controls.)

Taken together, the two flaws suggest a recurring weakness in Instagram’s account-security design: automated recovery systems can create useful shortcuts for legitimate users, but they also enlarge the attack surface if authorization checks are incomplete.

For Meta, the timing was especially damaging because the AI takeover story had already put the firm’s account-protection practices under intense scrutiny.