Over 20,000 Instagram Accounts Hijacked via the Meta AI Support Tool Exploit
Published
Key Takeaways
- Accounts compromised: Attackers exploited a flaw in Meta's High Touch Support tool to hijack over 20,000 Instagram accounts via unauthorized password resets.
- Breach timeline: Meta discovered the vulnerability on May 31, 2026, while the breach filing identifies April 17 as the date it began.
- HTS disabled: Meta shut down the High Touch Support system and invalidated all generated reset links.
Meta has disclosed that 20,225 Instagram users had their accounts hijacked after attackers exploited a vulnerability in the company's AI-powered account recovery system to reset passwords. The flaw resided in the High Touch Support (HTS) tool, an AI-assisted platform designed to help users regain access to locked-out Instagram accounts.
How the High Touch Support Flaw Was Exploited
Attackers exploited the High Touch Support vulnerability by introducing the email addresses of accounts without two-factor authentication (2FA) enabled to obtain password reset links for account takeover.
The flaw stemmed from HTS's failure to verify whether email addresses submitted during the recovery process were associated with the targeted Instagram accounts, “due to a bug in a separate code path,” according to a data breach letter filed with the Maine Office of the Attorney General. The hijacking occurred on April 17, 2026.
Meta said it had no information confirming exactly what personal data was accessed, but noted that attackers could have obtained contact information, including:
- Contact information (email address and/or phone number)
- Date of birth
- Social media posts and content (photos, videos, stories)
- Direct messages and communications
- Account activity and interaction history
- Profile information (biography, profile photo)
- Connected accounts and linked services
Meta's Remediation Steps
Following the discovery on May 31, 2026, Meta said it disabled HTS and invalidated all password reset links the tool had generated. Potentially compromised accounts were enrolled in a mandatory security checkpoint requiring users to reset passwords and re-authenticate.
Meta stated it would fix the authentication check in the Instagram recovery entry point before relaunching the tool and would conduct a comprehensive review of similar account recovery flows across Meta platforms.
Instagram patched the Meta AI support assistant vulnerability last week and plans to start consumer notification on June 19.
In April, a Meta Platforms class action said Facebook’s personal data scraping affected 35 million users. In January, Instagram denied it had suffered a data breach after users received password reset emails, with 6.2 million accounts added to HIBP.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular