A researcher revealed that some private Instagram profiles were exposing links to private photos in their HTML code, accessible to unauthenticated users. Although Meta fixed the issue shortly after being notified, they dismissed it as "not applicable" and did not acknowledge the severity of the vulnerability.

Instagram recently addressed a problem where users received unsolicited password reset emails triggered by an external party. The company insists there was no breach, despite reports of personal data from millions of accounts being available on the dark web.

Instagram utilizes a strategy of changing its TLS certificates daily, opting for certificates that are slightly more than a week from expiration. This approach seems to aim for reducing certificate lifetime, although it raises questions about security regarding key management. The findings reveal that both the main domain and its subdomain have separate certificates, despite the potential for a wildcard certificate to cover subdomains.