A white-hat ethical hacker recently found an Instagram vulnerability that might have exposed users’ personal information.

Hacker @ZHacker13  found the vulnerability in Instagram’s login form and Sync Contacts feature. The hacker was able to put in phone numbers that the platform validated as linked to active accounts. New fraudulent accounts were set up using the validated phone numbers and Instagram’s Sync Contacts feature allowed the new fraudulent accounts to link to the details of the real accounts, exposing users’ usernames, full names, and phone numbers.

The leaked information can put users at risk for SIM swap scams and identity theft.

The hacker reported the vulnerability to Facebook, Instagram’s parent company, and received a $4,000 “bug bounty.”  Facebook has since patched the leak.

The Instagram vulnerability comes after Facebook recently came under fire for a data breach on that platform that exposed 419 million users’ phone numbers.

Instagram also has made recent headlines after researchers identified a new phishing scam that used false two-factor authentication to take over accounts.