Meta disclosed that approximately 20,000 Instagram accounts were compromised through a bug in its High Touch Support (HTS) account recovery tool, which failed to verify that the email address provided during a password reset request matched the one associated with the targeted account. This allowed attackers to redirect password reset links to their own email addresses and take over accounts that lacked two-factor authentication (2FA). Meta has since disabled the vulnerable tool, invalidated the exploited reset links, reset affected account passwords, and plans to notify impacted users.
