Over 20,000 Instagram accounts stolen in Meta AI support hack

Meta has revealed that over 20,000 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords.

As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.

By exploiting the fact that HTS didn't verify whether email addresses were associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled.

After a wave of user reports regarding these attacks hit social media platforms, Andy Stone, Meta's vice president of communications, replied to one of the affected users, stating that the "issue has been resolved, and we are securing impacted accounts."

BleepingComputer has also contacted Meta last week for comment on this security breach, but we have yet to hear back.

"We are writing to inform you that a vulnerability in an Instagram account recovery support tool was used to potentially compromise the Instagram accounts of 30 users in your jurisdiction. All accounts have been secured to prevent any continued unauthorized access," Meta said in a data breach letter recently filed with Maine's Office of the Attorney General.

"On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ('High Touch Support' or 'HTS') that was exploited by unauthorized third parties to perform password resets on Instagram user accounts," Meta explained.

While Meta didn't specify when the attacks began in the breach letter, the filing on Maine's OAG website says the breach occurred on April 17, which is likely the date of the first attack exploiting the HTS flaw.

Additonally, although the company said it has no information on what personal information might have been accessed or stolen from the compromised accounts, it noted that the attackers could've gained access to affected Instagram users' contact information (email address and/or phone number), dates of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), as well as other connected accounts and linked services.

Chat with the Meta's AI support HTS agent (@thecomfeed)

After discovering the incident, the company disabled the HTS AI-powered support system and all password reset links it had generated to ensure that all future hijack attempts part of the same malicious campaign would be blocked.

It also enrolled all potentially stolen accounts into a mandatory security checkpoint and asked all affected users to reset their passwords again and re-authenticate to secure and regain control of the compromised accounts. 

"Prior to re-launching the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated," Meta added. "Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues."

Prior to this incident, Ireland also fined Meta $264 million over a 2018 data breach that exposed the names, email addresses, phone numbers, and physical locations of over 29 million Facebook accounts.

Meta was also fined €265 million ($275.5 million) in November 2022 for failing to protect Facebook users' data from scrapers, and another €91 million ($100 million) for storing the passwords of hundreds of millions of users in plaintext.