A security researcher named Jatin Banga found that some private Instagram profiles were leaking links to user photos to unauthenticated visitors. While Instagram's private account feature is supposed to restrict access to approved followers, Banga's investigation revealed that certain profiles returned links to private photos embedded in the HTML source code. In his tests, he discovered that at least 28% of the private accounts he examined showed captions and links to private photos in the response, despite unauthenticated users only seeing a message stating, "This account is private." Banga reported this vulnerability to Meta, Instagram's parent company, on October 12, 2025. Initially, Meta attributed the issue to caching problems, which Banga disputed, asserting it was a failure in server-side authorization. Although Meta eventually fixed the issue, they closed the case as "not applicable," claiming they could not reproduce the problem. Banga noted that the exploit ceased around October 16, but he remains skeptical about whether Meta genuinely resolved the underlying issue, as there was no thorough root cause analysis provided. Despite the severity of the leak, which could have exposed private images for an unknown duration, Meta did not engage in meaningful dialogue regarding the flaw. Banga expressed frustration over the company's lack of acknowledgment and thorough investigation. He shared evidence of the vulnerability with BleepingComputer and clarified that he wasn't seeking a bounty; his primary aim was transparency about the critical privacy risk that was addressed but not properly acknowledged by Meta.