Critical Flaw in Meta's Account Recovery Exposes User PII
Severity: High (Score: 69.8)
Sources: Kucoin, Chaincatcher
Published: · Updated:
Keywords: meta, account, recovery, feature, design, high-risk, flaw
Severity indicators: flaw
Summary
On June 8, 2026, GoPlus revealed a critical design flaw in Meta's account recovery feature. This vulnerability allows attackers to access users' phone numbers, email addresses, and other personally identifiable information (PII) simply by entering a Meta username, without any login or verification. The flaw poses significant risks, including large-scale phishing attacks, SIM swap attacks, account takeovers, and identity theft. Users are advised to remove or change compromised recovery options, update passwords, enable two-factor authentication (2FA), and avoid suspicious communications. The exposure of sensitive information could lead to targeted social engineering attacks. The situation requires urgent attention from affected users to mitigate potential risks. No specific CVEs were mentioned in the articles. Key Points: • Meta's account recovery feature has a critical design flaw exposing user PII. • Attackers can access sensitive information without any verification by using a username. • Users are advised to change recovery options and enable 2FA to protect their accounts.
Detailed Analysis
**Impact** Users of Meta platforms globally are affected by the exposure of personally identifiable information (PII), including phone numbers and email addresses, through the account recovery feature. This flaw risks large-scale phishing campaigns, SIM swap attacks, account takeovers, identity theft, and targeted social engineering. The scope includes any Meta user whose username is known, with no login or verification required to access their linked recovery information. Business operations relying on Meta accounts for authentication or communication may face disruptions and increased fraud incidents. **Technical Details** The vulnerability allows attackers to input a Meta username into the account recovery feature and retrieve full PII without authentication. No malware, CVEs, or specific infrastructure details are mentioned in the reports. The attack vector exploits a design flaw in the recovery process, enabling information disclosure at the reconnaissance and initial access stages of the kill chain. No indicators of compromise (IOCs) are provided. **Recommended Response** Users should immediately remove or replace compromised email addresses and phone numbers used as recovery options and change passwords on related accounts while enabling two-factor authentication (2FA). Organizations should educate users not to click on suspicious emails or SMS messages referencing account anomalies, verification, or password resets. Implement multi-channel verification methods verified through official documentation or trusted social media channels. Monitoring for phishing attempts and suspicious account recovery activity is advised.
Source articles (2)
- GoPlus: Meta account recovery feature exposed to high-risk design flaws, which could ... — Chaincatcher · 2026-06-08
GoPlus posted on platform X that the Meta account recovery feature has been exposed to a high-risk design flaw, which could directly leak users' phone numbers, email addresses, and PII (Personally Ide… - Meta Account Recovery Feature Found to Have High-Risk Design Flaw — Kucoin · 2026-06-08
ME News reports that on June 8 (UTC+8), GoPlus posted on X that a critical design flaw has been exposed in Meta’s account recovery feature, directly exposing users’ phone numbers, email addresses, and…
Timeline
- 2026-06-08 — GoPlus reveals Meta account recovery flaw: GoPlus announced a critical design flaw in Meta's account recovery feature, exposing users' PII.
- 2026-06-08 — Recommendations issued for affected users: Users are advised to change recovery options and enhance account security measures following the flaw disclosure.
Related entities
- Phishing (Attack Type)
- Meta (Company)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- T1566 - Phishing (Mitre Attack)