Meta AI Flaw Exposes 20K Instagram Accounts

Meta Instagram AI Recovery Tool Flaw Exposes 20,000+ Accounts

On May 31, 2026, Meta discovered a flaw in its High Touch Support tool, which had been exploited by attackers to hijack over 20,225 Instagram accounts. This incident is a clear example of the ongoing risks associated with AI-powered support systems. The vulnerability allowed attackers to reset passwords without verifying email addresses associated with targeted accounts.

Attackers could obtain password reset links and log in to accounts without two-factor authentication enabled. According to Amber Hannah, Meta, the tool itself worked properly, but a bug in a separate code path meant the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request.

The Breach

The breach started approximately on April 17, 2026, with attackers exploiting a flaw in Meta’s High Touch Support tool to hijack Instagram accounts. For about six weeks, the attack continued to run undetected. It wasn’t until May 31, 2026, that Meta discovered the problem with the High Touch Support tool. Early June 2026 saw Meta pulling the High Touch Support tool to prevent further exploitation.

The list of impacted accounts included high-profile accounts such as the Obama White House, Sephora, and US Space Force Chief Master Sergeant John Bentivegna. These accounts were compromised because they did not have two-factor authentication enabled. This incident raises concerns about the effectiveness of Meta’s incident detection and response capabilities. The fact that the flaw went undetected for six weeks also highlights the need for more stringent security protocols.

Impact and Response

The use of AI-driven support tools is becoming more widespread, and this incident shows that the industry as a whole must prioritize security testing and validation to prevent such vulnerabilities from being exploited. To protect themselves, Instagram users should enable two-factor authentication on their accounts, verify email addresses associated with their accounts, and use a secure email address for account recovery. Users should also monitor their account activity regularly, be cautious of password reset links sent via email, and use a password manager to generate unique, complex passwords.

Meta has informed authorities, including the Maine Attorney General’s Office, about the incident’s impact. The company is required to notify affected users and provide them with information on how to protect themselves. Regulatory bodies, such as the Federal Trade Commission, may also investigate the incident to determine if Meta has complied with relevant laws and regulations. This includes assessing whether Meta has adhered to the guidelines set forth by the General Data Protection Regulation and the California Consumer Privacy Act.

Regulatory Status and Potential Consequences

If found non-compliant, Meta may face significant fines and penalties. The company may also be required to implement additional security measures to prevent similar incidents in the future. As part of its regulatory obligations, Meta will notify affected users and provide them with information on how to protect themselves. This includes guidance on enabling two-factor authentication, monitoring account activity, and using secure email addresses for account recovery.

Conclusion

This incident highlights the importance of security in AI-powered support systems. It shows that even with proper tools in place, vulnerabilities can still be exploited if not properly tested and validated. Users must take steps to protect themselves, and companies like Meta must prioritize security to prevent such incidents in the future.

Sources

1. https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/686120c8-63be-4e3c-b7ed-466d65b672f5.html
2. https://www.bleepingcomputer.com/news/security/meta-ai-recovery-tool-flaw-exposed-20-000-instagram-accounts/
3. https://www.securityweek.com/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts
4. https://securityaffairs.co/wordpress/142695/breaking-news/instagram-accounts-hijacked.html
5. https://www.infosecurity-magazine.com/news/meta-ai-recovery-tool-flaw/
6. https://www.helpnetsecurity.com/2026/06/15/meta-ai-recovery-tool-flaw/
7. https://www.cyberinsider.net/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts/