Meta has revealed that more than 20,000 Instagram users had their accounts hijacked after attackers exploited a flaw in the company’s AI-powered support system to reset passwords and gain access to accounts.
The incident involved Meta’s High Touch Support, or HTS, an AI-assisted account recovery tool used to help Instagram users regain access when they are locked out of their accounts. Attackers reportedly abused a weakness in the system because HTS did not properly verify whether an email address was actually linked to the targeted Instagram account before sending password reset links.
This allowed the attackers to request reset links and use them to access Instagram accounts, especially those that did not have two-factor authentication enabled. After many affected users began reporting the hijackings on social media, Meta’s vice president of communications, Andy Stone, said the issue had been resolved and that the company was securing impacted accounts.
In a data breach letter filed with Maine’s Office of the Attorney General, Meta said a vulnerability in an Instagram account recovery support tool was used to potentially compromise Instagram accounts in that jurisdiction. The company said it discovered the issue on May 31, 2026, and confirmed that unauthorized third parties had exploited the AI-assisted Instagram recovery system to perform password resets on user accounts.
Although Meta did not say exactly when the attacks started in the breach notice, the filing lists April 17 as the breach date, which may indicate when the first attack took place. Meta also said it does not currently know what personal information may have been accessed or stolen from the compromised accounts.
However, the company warned that attackers may have been able to view users’ contact details, including email addresses and phone numbers, as well as dates of birth, Instagram posts, photos, videos, stories, direct messages, account activity, profile information, and linked accounts or connected services.
After discovering the incident, Meta disabled the HTS AI-powered support system and invalidated all password reset links generated through the tool. The company said this was done to block further hijacking attempts linked to the same campaign.
Meta also placed potentially compromised accounts into a mandatory security checkpoint. Affected users were asked to reset their passwords again and re-authenticate before regaining full control of their accounts.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Before relaunching the tool, Meta said it will fix the authentication check in Instagram’s recovery process to make sure email addresses are properly verified against existing account information before any password reset is allowed. The company also said it is reviewing similar account recovery systems across Meta’s platforms to find and fix any related weaknesses.
Meta Says Instagram Account Recovery Flaw Led To 20,000 Account Hijacks
