Meta says AI support tool flaw exposed 20,000 Instagram accounts

Meta Discloses Instagram Bug That Exposed Over 20,000 Accounts to Hackers

Meta has formally disclosed a security incident in which a flaw in its AI-powered Instagram account recovery tool allowed attackers to hijack more than 20,000 user accounts by tricking the system into sending password reset links to unauthorized email addresses.

How the Exploit Worked

In a data breach letter filed with Maine’s Office of the Attorney General, Meta’s associate general counsel for incident response legal, Amber Hannah, explained that the vulnerability resided in the company’s “High Touch Support” tool, an AI-assisted system designed to help locked-out users regain access to their Instagram accounts.cybernews

The tool failed to verify whether the email address provided during a password reset request actually matched the one on file for the account. “When an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request,” Hannah wrote. Attackers who received the reset link could then log in to any account that did not have two-factor authentication enabled.bleepingcomputer

According to the Maine filing, the breach began on April 17 and was discovered on May 31, 2026. A total of 20,225 accounts were affected. BleepingComputer first reported the attacks on June 1 after a wave of user reports appeared on social media, and 404 Media reported that hackers had posted a video to Telegram demonstrating the exploit, which involved using a VPN near the target’s location and simply asking Meta’s AI chatbot to link a new email address to the account.krebsonsecurity

High-Profile Targets

The attackers appeared to focus on coveted “OG” handles — short or notable usernames. Security journalist Brian Krebs reported that compromised accounts included one belonging to U.S. Space Force Chief Master Sgt. John F. Bentivegna and the Obama White House-era Instagram account. Pro-Iran hacking groups claimed responsibility for the campaign in Telegram channels.cybernews

Meta’s Response

Meta has disabled the HTS tool, invalidated all password reset links it generated, and enrolled affected accounts in a mandatory security checkpoint requiring users to re-authenticate. The company said it plans to fix the email verification check before relaunching the tool and is conducting a review of similar recovery flows across its platforms.bleepingcomputer

Meta’s vice president of communications, Andy Stone, stated on X that the “issue has been resolved, and we are securing impacted accounts”. The exploit did not work against accounts with any form of multi-factor authentication enabled, underscoring security experts’ long-standing recommendation that users activate even SMS-based two-factor protection.krebsonsecurity