GoPlus: Meta account recovery feature exposed to high-risk design flaws, which could directly leak users' sensitive information

GoPlus posted on platform X that the Meta account recovery feature has been exposed to a high-risk design flaw, which could directly leak users' phone numbers, email addresses, and PII (Personally Identifiable Information). Attackers only need to input the META username without any login or verification to directly obtain the complete PII linked to the user, such as email addresses and phone numbers. This could pose significant risks to users, including: large-scale phishing attacks, SIM card swapping attacks, account takeover and identity theft, and targeted social engineering attacks.

Recommendations: Remove or change the leaked email/phone number as a recovery method; modify related account passwords and enable 2FA; do not click on any emails or messages related to "account anomalies," "verification," or "password reset"; set up multi-channel verification, which can be verified through official documents or other official social media channels.