Meta has begun notifying approximately 20,000 Instagram users that their accounts may have been compromised after attackers exploited a flaw in an AI-assisted account recovery tool.
The company says the vulnerability allowed unauthorized parties to obtain password reset links for accounts they did not own, leading to account takeovers.
According to a breach notification submitted to state regulators, the company discovered the issue on May 31, 2026, in an AI-assisted Instagram account recovery system known internally as High Touch Support (HTS). The tool is designed to help users regain access to locked accounts by guiding them through recovery procedures, including password reset requests.
Meta said the recovery platform itself functioned as intended, but a bug in a separate code path failed to properly verify that a password reset request was being sent to the email address already associated with the target Instagram account. Instead of rejecting mismatched email addresses, the system could send password reset links to addresses supplied by the requester.
As a result, attackers were able to receive valid password reset links for accounts they did not control. Once a password was reset, unauthorized users could access the account if the legitimate owner had not enabled two-factor authentication (2FA).
The social media giant, which operates Facebook, Instagram, WhatsApp, and Threads and serves billions of users worldwide, said it has secured all potentially affected accounts and removed the vulnerable functionality from production.
The incident impacted several owners of high-profile and valuable Instagram accounts, who reported sudden lockouts, with some claiming attackers had successfully bypassed account recovery safeguards. Impacted users also criticized Meta's support infrastructure, saying they were often routed through automated assistance systems with limited access to human support personnel.
The company said it is currently unaware of what specific information, if any, was accessed by attackers. However, users whose accounts were compromised could have had a range of data exposed, including:
- Email addresses and phone numbers
- Dates of birth
- Photos, videos, stories, and other posted content
- Direct messages
- Account activity history
- Profile information
- Connected accounts and linked services
Before reintroducing the recovery feature, Meta says it will implement additional verification checks to ensure that email addresses provided during account recovery match the information already associated with the account. The company is also reviewing similar account recovery workflows across its platforms to identify and remediate related weaknesses.
Users who receive a notification should also review recent account activity, verify recovery email addresses and phone numbers, and check for unauthorized changes to connected accounts or login credentials.
Leave a Reply