Meta Confirms 20,000 Instagram Accounts Hijacked After Attackers Exploit AI-Powered Support System to Bypass Authentication
Meta has disclosed that over 20,000 Instagram accounts were hijacked after attackers exploited a vulnerability in the company's AI-powered High Touch Support (HTS) system — an account recovery tool designed to help users regain access after being locked out. The flaw allowed unauthorized password resets without verifying whether the requesting email address was actually associated with the targeted account.
The breach was discovered on May 31, 2026, though filings with Maine's Office of the Attorney General indicate the first exploitation occurred on April 17 — meaning the vulnerability was actively exploited for approximately six weeks before detection. The attackers obtained password reset links through the HTS system and used them to log into accounts that did not have two-factor authentication enabled.
The core failure was straightforward: the AI-assisted recovery system did not verify whether the email address provided during the recovery flow matched the email on file for the targeted Instagram account. This meant attackers could submit any email address, receive a valid password reset link, and take over accounts that lacked 2FA as a secondary barrier.
Meta has not confirmed what data was accessed or exfiltrated from compromised accounts, but acknowledged that attackers could have gained access to contact information (email and phone numbers), dates of birth, all social media content including photos, videos, and stories, direct messages and communications, account activity and interaction history, profile information, and connected accounts and linked services. For accounts used for business, influencer activity, or private communications, the exposure is significant.
After discovering the breach, Meta disabled the HTS system entirely and invalidated all password reset links it had generated. The company enrolled all potentially compromised accounts into a mandatory security checkpoint requiring password resets and re-authentication. Meta stated it will not relaunch the tool until a proper email verification check is implemented in the recovery flow, and is conducting a comprehensive review of similar account recovery mechanisms across all Meta platforms.
The incident highlights a growing risk as companies deploy AI-powered support systems that handle authentication-sensitive operations. The HTS tool was designed to streamline account recovery — but by automating the process without adequate identity verification, it created a scalable attack surface that threat actors exploited to hijack accounts at volume.
Significance:
This breach illustrates what happens when AI-assisted automation is applied to security-critical workflows without matching the verification rigor of the processes it replaces. A human support agent reviewing an account recovery request would typically verify ownership. The AI system skipped that step, and 20,000 accounts paid the price. As more platforms deploy AI-driven support tools to reduce costs and response times, the same pattern will repeat unless authentication checks are baked into the automation from the start — not bolted on after a breach. Any organization building AI-powered account recovery or support systems should treat this as a case study in what not to ship without proper identity validation.
