News

Facebook fixes Instagram bug that leaked user’s private email address and birthday

This week a researcher walked away with a $13,125 bug bounty award for responsibly reporting a data leak to Facebook.

Security researcher Saugat Pokharel shared details on the privacy flaw which was causing Instagram leaking email address and date of birth of its users.

Pokharel said he noticed the email address of a user while replying to him via Facebook’s Business Suite.

On digging deeper, the researcher was able to confirm that this information was meant to remain private.

“In the official help page of Instagram, it was clearly mentioned that email address is not visible to other users. I became 99% sure that it was a bug,” said Pokharel in a blog post.

User birthday also leaked

After responsibly reporting the bug to Facebook, the researcher patiently waited and in the interim tried to verify if a fix had been pushed out by the company yet.

However, that is precisely when he discovered an additional bit of private user data being exposed.

“When I was checking for the fix, I saw that birthday of one Instagram user was leaking from the same place. I was again shocked. I then wrote a reply saying birthday is leaking from the same place,” says Pokharel.

A Facebook engineer reportedly responded to the researcher, Facebook had already identified the birthday leak while investigating his previous report concerning the email address exposure.

“The next day, birthday issue was also fixed. But, during my investigation what I found was: Birthday was leaking only for those users who manually signed up for Instagram. So, in this way: I was able to infer [whether] the user created Instagram account through Login with Facebook method or not. I believed this is another privacy concern,” explains the researcher.

In other words, a user’s birthday being exposed would be an indication that the user had registered for an Instagram account rather than “logging in with Facebook.”

For his report of both privacy issues, Pokharel was awarded a $12,500 cash bounty from Facebook.

Further, the company applied a $625 bonus to the payout for the researcher’s previous work on Hacker Plus program, making the total sum $13,125.

Now that’s quite a way to end 2020!

Facebook has now patched both privacy issues and at the time of writing user’s private Instagram details are no longer being leaked.

Data leaks have become a common nuisance due to human errors or system bugs.

Last month, Insomnia Cookies website leaked sensitive database server credentials due to an exposed .env file.

Reports of bulk email address leaks in CC’d emails (when the sender had intended to BCC the recipients) have surfaced too as a result of human errors.

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

8 Brutal Truths About Cybersecurity I Wish I Knew

When I first got into cybersecurity, I thought it was all about hackers in hoodies…

8 hours ago

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

2 days ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

4 days ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

4 days ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

6 days ago

World’s Largest Supply Chain Cyber Attack… And just 5 Cents Stolen?

You probably saw the headlines: the world’s largest npm supply chain attack, chalk and debug-js…

1 week ago

This website uses cookies.