Blockchain security firm GoPlus disclosed on X on June 8 that Meta’s account recovery feature has a high-risk design flaw: an attacker only needs to enter a META username—without any login or verification—to directly obtain complete PII (personally sensitive information) bound to the user, such as email addresses and phone numbers. The UK’s Daily Metro reported that International Cyber Digest has verified this vulnerability.
GoPlus’s security recommendations
GoPlus’s user protection measures published for this vulnerability:
· Remove or replace the leaked email addresses/phone numbers as account recovery methods
· Change the relevant account passwords and enable two-factor authentication (2FA)
· Do not click on any emails or SMS messages related to “account abnormality,” “verification,” or “reset password”
· Verify through multiple channels: confirm the authenticity of information via official documents or official other community media channels
Confirmed cases of the vulnerability’s impact
International Cyber Digest confirmed in an X post: “Meta has another big problem: its account recovery feature allows an attacker to obtain complete account personal identity information, including email addresses and phone numbers, with only a username. We verified this claim and found social media accounts belonging to several public figures.”
The confirmed affected accounts include: Madrid player Kylian Mbappé (leaked his personal TikTok account information), Cristiano Ronaldo’s wife Georgina Rodriguez, the former White House Instagram account (originally owned by Barack Obama, with over 2.4 million followers) and former Meta security engineer Jane Manchun Wong. GoPlus also pointed out that the community has publicly released personal information linked to Mark Zuckerberg’s META account to verify the existence of the vulnerability.
Common questions
What is the specific attack method of this vulnerability?
According to GoPlus and International Cyber Digest, the attacker uses Meta’s account recovery feature by entering only the target account’s username; without any login credentials or identity verification, they can directly query the complete PII bound to that account, including the email address and phone number.
How did Meta respond to this vulnerability?
According to the report, Meta later said “the issue has been resolved,” but Meta did not publicly disclose how the vulnerability was patched, when it was discovered, or the number of affected users.
What is the relationship between this vulnerability and the Meta AI chatbot vulnerability?
The two vulnerabilities are different security incidents, but the timing is close. The Meta AI chatbot vulnerability was exposed earlier and was used to change other people’s passwords, leading to about 100 high-value accounts being stolen; the PII leakage vulnerability in the account recovery feature is the newly exposed design flaw, occurring a few days after the chatbot vulnerability incident.
