Meta revealed that more than 20,000 Instagram users had their accounts compromised in a recent incident where attackers used Meta’s AI-powered support system to reset passwords.
As BleepingComputer reported last week, malicious actors exploited a flaw in the company’s High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.
By exploiting the fact that HTS did not verify the email addresses associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled.
After many user reports about this attack hit social media, Andy Stone, Meta’s vice president of communications, responded to one of the affected users, saying “the problem has been resolved, and we are finding the affected accounts.”
BleepingComputer also reached out to Meta last week for comment on the security breach, but we have yet to hear back.
“We are writing to inform you that a vulnerability in the Instagram account recovery support tool was used to compromise the Instagram accounts of 30 users in your area. All accounts are secured to prevent any further unauthorized access,” Meta said in a data breach letter recently filed with the Maine Attorney General’s Office.
“On May 31, 2026, Meta discovered a vulnerability in Instagram’s AI-assisted account recovery system (‘High Touch Support’ or ‘HTS’) that was exploited by unauthorized third parties to perform password resets on Instagram user accounts,” explained Meta.
While Meta did not specify when the attack began in the breach letter, a posting on the Maine OAG website says the breach occurred on April 17, which is likely the date of the first attack that used the HTS flaw.
In addition, although the company said it has no knowledge of what personal information may have been accessed or stolen from the compromised accounts, it noted that the attackers had access to the contact information of the affected Instagram users (email address and/or phone number), dates of birth, social media posts and content (photos, videos, stories), direct messages and communications, and linked account information (linked account history), and linked account history services.
After discovering this incident, the company disabled the HTS AI-powered support system and all the password reset links it had generated to ensure that all future hacking attempts as part of the same malicious campaign would be blocked.
It also registered all potentially stolen accounts in a mandatory security audit and asked all affected users to reset their passwords and re-authenticate to protect and regain control of the compromised accounts.
“Prior to re-launching this tool, Meta will adjust the verification check at the login point of Instagram acquisition to ensure proper verification of email addresses against existing account information before any password resets are initiated,” Meta added. “Additionally, Meta is conducting a comprehensive review of the same account acquisition flow across all Meta platforms to identify and fix any potential issues.”
Prior to this incident, Ireland also fined Meta $264 million for a 2018 data breach that exposed the names, email addresses, phone numbers and locations of more than 29 million Facebook accounts.
Meta was also fined 265 million euros ($275.5 million) in November 2022 for failing to protect Facebook users’ data from scrapers, and another €91 million ($100 million) for storing hundreds of millions of users’ passwords in clear text.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
