Meta Instagram account security 2FA vulnerability

Meta's AI Support Tool Had a Bug. Hackers Found It First.

8 June 2026

Meta disclosed that approximately 20,000 Instagram accounts were compromised through a bug in its High Touch Support (HTS) account recovery tool, which failed to verify that the email address provided during a password reset request matched the one associated with the targeted account. This allowed attackers to redirect password reset links to their own email addresses and take over accounts that lacked two-factor authentication (2FA). Meta has since disabled the vulnerable tool, invalidated the exploited reset links, reset affected account passwords, and plans to notify impacted users.

Around 20,000 Instagram accounts may have been hijacked after attackers found a way to exploit Meta's AI-powered account recovery tool. The method was embarrassingly simple: ask the chatbot to link your own email address to someone else's account, then use the resulting password reset link to walk straight in.

High-profile accounts were among those compromised, including the Obama White House, cosmetics brand Sephora, and US Space Force Chief Master Sergeant John Bentivegna. Some of the stolen accounts reportedly ended up for sale on the dark web. Criminals were brazen enough to share tutorial videos explaining exactly how the attack worked.

Meta has now formally notified the Maine Attorney General's Office, putting the total number of potentially affected users at 20,225. Though the company's associate general counsel for incident response, Amber Hannah, noted that figure might be slightly inflated. The count includes any account where a password reset was triggered via the support tool, two-factor authentication was absent, and access by an unauthorised party seemed likely. Some of those resets may have been legitimate.

The tool in question is called High Touch Support, or HTS, and it exists to help people regain access to locked accounts. Meta discovered it was being abused on 31 May. The underlying flaw wasn't in the tool itself, but in a separate code path that was supposed to verify email addresses. It didn't. When a hacker provided an email address with no prior connection to the target account, the system sent a password reset link to that address anyway instead of rejecting the request outright. From there, any account without 2FA enabled was fully exposed.

Accounts protected by two-factor authentication were safe. Everyone else was not.

Meta says it cannot confirm whether attackers accessed personal data stored within the compromised accounts, but the potential scope is uncomfortable. Profile details, email addresses, phone numbers, dates of birth, direct messages, posts, and interaction history could all have been within reach.

The HTS tool has been taken offline while the vulnerability is fixed. Password reset links generated through the exploit have been invalidated, affected accounts have had their passwords reset, and those users have been enrolled in a mandatory security checkpoint. Meta says it also plans to notify impacted users directly, urging them to review their security settings and, belatedly, turn on 2FA.

The incident is a fairly crisp illustration of what happens when AI-powered support tooling ships with insufficient input validation. The AI part didn't cause the breach, a sloppy code path did, but the tool provided the attack surface. Worth keeping in mind next time someone pitches you on AI-assisted customer support as a low-risk efficiency win.