Meta's account recovery feature has been found to have a high-risk design flaw that could directly leak sensitive user information.

CoinFeed reported on June 8th that GoPlus published an article on its X platform stating that its Meta account recovery function has been found to have a high-risk design flaw that directly leaks users' phone numbers, email addresses, and PII (Personal Information). Attackers only need to enter the META username, without any login or verification, to directly obtain the user's linked email address, phone number, and other complete PII. This could cause numerous harms to users, such as large-scale phishing attacks, SIM card swapping attacks, account takeover and identity theft, and targeted social engineering attacks. Recommendations: Remove or replace the leaked email address/phone number as a recovery method; change the password for related accounts and enable 2FA; do not click on any emails or text messages related to "account anomaly," "verification," or "password reset"; set up multiple verification channels, such as official documentation or other official social media channels.