What happened
Meta revealed that more than 20,000 Instagram users had their accounts hijacked after attackers abused a vulnerability in the company’s AI-assisted account recovery support tool. The tool, called High Touch Support or HTS, is designed to help users regain access after being locked out of their Instagram accounts.
Attackers exploited the fact that HTS did not verify whether email addresses were associated with the targeted Instagram accounts. By abusing this gap, threat actors obtained password reset links that allowed them to access and hijack accounts that did not have two-factor authentication enabled.
Meta said in a data breach letter filed with Maine’s Office of the Attorney General that it discovered the vulnerability on May 31, 2026. The same filing listed April 17 as the breach date, which is likely the date of the first attack exploiting the HTS flaw. Meta said the vulnerability was used by unauthorized third parties to perform password resets on Instagram user accounts.
Meta said it had no information on what personal information may have been accessed or stolen from compromised accounts. However, attackers could have accessed affected users’ contact information, including email addresses and phone numbers, dates of birth, social media posts and content such as photos, videos, and stories, direct messages and communications, account activity and interaction history, profile information, and other connected accounts and linked services.
After discovering the incident, Meta disabled the HTS AI-powered support system and all password reset links generated by the tool to block future hijacking attempts tied to the same campaign. It also enrolled potentially stolen accounts into a mandatory security checkpoint and required affected users to reset their passwords and re-authenticate to secure and regain control of their accounts.
Meta said that before relaunching the tool, it will fix the authentication check in the Instagram recovery entry point to ensure email addresses are properly verified against existing account information before any password reset is initiated. The company also said it is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate potential issues.
Who is affected
More than 20,000 Instagram users had their accounts hijacked through the exploited HTS account recovery flaw. In Maine, the vulnerability was used to potentially compromise 30 users in the state.
The affected accounts were especially vulnerable if they did not have two-factor authentication enabled, as the attackers were able to use password reset links to gain access. Potentially exposed information may include contact details, birth dates, social media content, direct messages, profile information, account activity, and connected accounts or linked services.
Why CISOs should care
This incident shows how account recovery workflows can become a high-impact attack path when identity checks are incomplete. The attackers did not need to break into Instagram through a traditional login flow. Instead, they abused an AI-assisted support tool that could initiate password resets without properly verifying whether the email address matched the targeted account.
For CISOs, the key lesson is that AI-assisted support and recovery systems should be treated as privileged identity infrastructure, not simply customer service tooling. Any workflow that can reset credentials, issue recovery links, or restore account access needs strong verification, abuse monitoring, and rollback controls.
The incident also highlights the risk of similar flaws existing across related platforms. Meta said it is reviewing similar account recovery flows across its platforms, which reinforces the need for organizations to assess identity recovery processes consistently rather than fixing one affected tool in isolation.
3 practical actions
- Audit account recovery workflows for identity verification gaps: The HTS flaw allowed attackers to obtain password reset links because the tool did not verify whether email addresses were associated with targeted Instagram accounts. CISOs should review every recovery path that can reset credentials or issue access links and confirm that identity attributes are validated before recovery actions are triggered.
- Require additional controls for high-risk recovery actions: The affected accounts were hijacked through password reset links, particularly where two-factor authentication was not enabled. Organizations should apply stricter controls to password resets, account recovery requests, and support-assisted access restoration, especially for accounts without MFA or with signs of suspicious activity.
- Review AI-assisted support tools as part of the identity attack surface: Meta disabled the HTS AI-powered support system and began reviewing similar account recovery flows across its platforms. CISOs should inventory AI-assisted support workflows, determine whether they can trigger security-sensitive actions, and test those workflows for abuse cases before deployment or relaunch.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.