Over 20,000 Instagram accounts stolen in Meta AI support hack

OVER 20,000 INSTAGRAM ACCOUNTS STOLEN IN META AI SUPPORT HACK

OverviewMeta disclosed that more than 20,000 Instagram users had their accounts hijacked in a breach that exploited an AI-assisted recovery system. Attackers leveraged a flaw in Meta’s High Touch Support (HTS) tool, designed to help users regain access after being locked out, to reset passwords. The core vulnerability was the failure to verify whether the email addresses used for password resets were actually associated with the targeted accounts. As a result, unauthorized actors obtained password reset links and gained access without requiring two-factor authentication.

Timeline of Events

April 17, 2026: The breach likely began with the exploitation of the HTS flaw, according to regulatory filings.
May 31, 2026: Meta disclosed the vulnerability to affected parties, noting that unauthorized third parties could perform password resets on Instagram accounts.
June 8, 2026: Meta publicly stated that the incident had been contained, and impacted accounts were being secured. The company disabled the HTS AI-powered support system and blocked generated password reset links to prevent further hijack attempts.
In parallel, a data breach letter filed with Maine’s Office of the Attorney General indicated that Meta was addressing the incident and securing accounts on a jurisdiction-by-jurisdiction basis.

How the Attack Worked

The attacker’s entry point was HTS, an AI-assisted recovery channel used when users are locked out.
The critical flaw: HTS did not adequately verify that the email addresses used for password resets were linked to real, existing accounts.
Consequence: Attackers could issue password reset links and gain access to accounts without triggering 2FA requirements.
Outcome: A large wave of account takeovers occurred, prompting Meta to take immediate defensive actions.

Scope and Nature of Impact

Primary impact: More than 20,000 Instagram accounts were hijacked during the campaign.
Data potentially accessed from affected accounts included:
Email addresses and phone numbers
Dates of birth and other contact information
Personal posts, photos, videos, stories
Direct messages and communications
Account activity history and interaction history
Profile details such as bios and profile photos
Access to other connected accounts and linked services
Meta stated that it could not confirm the full extent of personal data accessed but warned that a broad set of information could have been exposed.

Meta’s Response and Remediation Efforts

Immediate actions:
HTS AI-powered recovery tool was disabled.
All password reset links generated by the tool were halted to block ongoing hijack attempts.
A security checkpoint was applied to potentially compromised accounts.
A reset of passwords and re-authentication was requested for affected users to regain control.
Preventive measures going forward:
Before re-launching HTS, Meta will fix the authentication check at the Instagram recovery entry point to ensure email addresses are properly verified against existing account information prior to initiating a password reset.
A comprehensive review of similar recovery flows across Meta’s platforms is underway to identify and remediate potential issues.
Communications:
Meta’s vice president of communications acknowledged that the issue had been resolved and that impacted accounts were being secured.
The company indicated ongoing efforts to strengthen verification and authentication around account recovery processes.

Regulatory and Historical Context

In the broader regulatory landscape, Meta has faced prior penalties related to data security:
Ireland previously fined Meta $264 million over a 2018 data breach affecting Facebook users’ sensitive information.
Meta was also fined €265 million ($275.5 million) in November 2022 for failing to protect user data from scraping activities.
Additional penalties included €91 million ($100 million) for storing user passwords in plaintext.
These historical actions underscore ongoing regulatory scrutiny around data protection and account security practices for Meta’s services.

Additional Context and Notes

The incident included correspondence with regulatory bodies, including a data breach letter filed with Maine’s Office of the Attorney General, which outlined the breach and the company’s remediation stance.
Meta’s approach to future incident prevention emphasizes tightening verification for account recovery mechanisms and conducting a platform-wide review of similar flows that could be vulnerable to abuse.

Operational and Security Implications

The event highlights the risk posed by AI-assisted support tools when embedded in critical authentication workflows.
It demonstrates the importance of multi-layered verification for password resets and account recovery, especially for high-demand platforms with broad user bases.
The incident serves as a case study in the balance between user convenience in recovery processes and robust security controls to prevent misuse by adversaries.

Related Topics and Context

The breach is part of a broader pattern of account takeover and identity-related security incidents affecting major social platforms.
Ongoing discussions around securing direct messaging, account activity histories, and linked services continue to shape regulatory and corporate responses.

SummaryMeta’s investigation into the Instagram HTS vulnerability reveals a high-impact breach that affected thousands of users by exploiting an AI-assisted account recovery mechanism. By not verifying email associations in password reset workflows, attackers gained unauthorized access to accounts without triggering 2FA. The response involved disabling the HTS tool, halting reset links, and enforcing re-authentication for impacted users, with a commitment to improving authentication checks and reviewing recovery flows across platforms. The incident sits within a history of regulatory actions against Meta related to data protection and security practices, underscoring the ongoing challenges of balancing user experience with robust security controls.

OVER 20,000 INSTAGRAM ACCOUNTS STOLEN IN META AI SUPPORT HACK

Timeline of Events

April 17, 2026: The breach likely began with the exploitation of the HTS flaw, according to regulatory filings.
May 31, 2026: Meta disclosed the vulnerability to affected parties, noting that unauthorized third parties could perform password resets on Instagram accounts.
June 8, 2026: Meta publicly stated that the incident had been contained, and impacted accounts were being secured. The company disabled the HTS AI-powered support system and blocked generated password reset links to prevent further hijack attempts.
In parallel, a data breach letter filed with Maine’s Office of the Attorney General indicated that Meta was addressing the incident and securing accounts on a jurisdiction-by-jurisdiction basis.

How the Attack Worked

The attacker’s entry point was HTS, an AI-assisted recovery channel used when users are locked out.
The critical flaw: HTS did not adequately verify that the email addresses used for password resets were linked to real, existing accounts.
Consequence: Attackers could issue password reset links and gain access to accounts without triggering 2FA requirements.
Outcome: A large wave of account takeovers occurred, prompting Meta to take immediate defensive actions.

Scope and Nature of Impact

Primary impact: More than 20,000 Instagram accounts were hijacked during the campaign.
Data potentially accessed from affected accounts included:
Email addresses and phone numbers
Dates of birth and other contact information
Personal posts, photos, videos, stories
Direct messages and communications
Account activity history and interaction history
Profile details such as bios and profile photos
Access to other connected accounts and linked services
Meta stated that it could not confirm the full extent of personal data accessed but warned that a broad set of information could have been exposed.

Meta’s Response and Remediation Efforts

Immediate actions:
HTS AI-powered recovery tool was disabled.
All password reset links generated by the tool were halted to block ongoing hijack attempts.
A security checkpoint was applied to potentially compromised accounts.
A reset of passwords and re-authentication was requested for affected users to regain control.
Preventive measures going forward:
Before re-launching HTS, Meta will fix the authentication check at the Instagram recovery entry point to ensure email addresses are properly verified against existing account information prior to initiating a password reset.
A comprehensive review of similar recovery flows across Meta’s platforms is underway to identify and remediate potential issues.
Communications:
Meta’s vice president of communications acknowledged that the issue had been resolved and that impacted accounts were being secured.
The company indicated ongoing efforts to strengthen verification and authentication around account recovery processes.

Regulatory and Historical Context

In the broader regulatory landscape, Meta has faced prior penalties related to data security:
Ireland previously fined Meta $264 million over a 2018 data breach affecting Facebook users’ sensitive information.
Meta was also fined €265 million ($275.5 million) in November 2022 for failing to protect user data from scraping activities.
Additional penalties included €91 million ($100 million) for storing user passwords in plaintext.
These historical actions underscore ongoing regulatory scrutiny around data protection and account security practices for Meta’s services.

Additional Context and Notes

The incident included correspondence with regulatory bodies, including a data breach letter filed with Maine’s Office of the Attorney General, which outlined the breach and the company’s remediation stance.
Meta’s approach to future incident prevention emphasizes tightening verification for account recovery mechanisms and conducting a platform-wide review of similar flows that could be vulnerable to abuse.

Operational and Security Implications

The event highlights the risk posed by AI-assisted support tools when embedded in critical authentication workflows.
It demonstrates the importance of multi-layered verification for password resets and account recovery, especially for high-demand platforms with broad user bases.
The incident serves as a case study in the balance between user convenience in recovery processes and robust security controls to prevent misuse by adversaries.

Over 20,000 Instagram accounts stolen in Meta AI support hack

Related Posts

Reducing security operations complexity with Wazuh Cloud

Check Point links VPN zero-day attacks to Qilin ransomware gang

Oxford University discloses data breach after careers platform hack

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated

Over 20,000 Instagram accounts stolen in Meta AI support hack

Related Posts

Reducing security operations complexity with Wazuh Cloud

Check Point links VPN zero-day attacks to Qilin ransomware gang

Oxford University discloses data breach after careers platform hack

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Get the next deep dive in your inbox

Stay Updated