Over 20,000 Instagram accounts stolen in Meta AI support hack
Over 20,000 Instagram accounts were hijacked by attackers exploiting a vulnerability in Meta's AI-powered High Touch Support (HTS) system. The flaw allowed attackers to reset passwords without verifying that email addresses matched the targeted Instagram accounts, enabling account takeovers of users without two-factor authentication. Meta discovered the breach on May 31, 2026, with attacks starting around April 17, 2026. The company disabled the vulnerable support system, invalidated all generated password reset links, secured affected accounts, and required password resets and re-authentication. Meta plans to fix the authentication checks before re-launching the tool and is reviewing other account recovery flows for similar issues. The attackers may have accessed personal data including contact information, social media content, messages, and linked accounts. No known exploits in the wild beyond this incident have been reported.
AI Analysis
Technical Summary
Attackers exploited a vulnerability in Meta's AI-assisted Instagram account recovery tool called High Touch Support (HTS). The flaw was that HTS did not verify whether the email address used for password reset requests was associated with the targeted Instagram account. This allowed attackers to obtain password reset links and hijack accounts lacking two-factor authentication. Meta detected the breach on May 31, 2026, with initial exploitation around April 17, 2026. The company disabled the HTS system and all related reset links, secured compromised accounts, and mandated password resets and re-authentication for affected users. Meta is fixing the verification process in the recovery tool and reviewing similar systems across its platforms to prevent recurrence. The breach potentially exposed users' personal information and social media content.
Potential Impact
The vulnerability led to the compromise of over 20,000 Instagram accounts. Attackers gained unauthorized access by resetting passwords without proper verification, affecting users without two-factor authentication enabled. Potentially exposed data includes contact information (email, phone), dates of birth, social media posts, direct messages, account activity, profile information, and linked accounts. Meta has secured impacted accounts and invalidated all password reset links generated by the compromised system. There is no indication of further exploitation beyond this incident.
Mitigation Recommendations
Meta has disabled the vulnerable AI-powered High Touch Support system and invalidated all password reset links it generated. Affected accounts have been secured with mandatory password resets and re-authentication. Prior to re-launching the recovery tool, Meta will implement proper verification of email addresses against account information to prevent unauthorized password resets. Additionally, Meta is conducting a comprehensive review of similar account recovery processes across its platforms. Users are advised to enable two-factor authentication to enhance account security. Patch status is not explicitly stated but Meta is actively remediating the issue and securing accounts.
Over 20,000 Instagram accounts stolen in Meta AI support hack
Description
Over 20,000 Instagram accounts were hijacked by attackers exploiting a vulnerability in Meta's AI-powered High Touch Support (HTS) system. The flaw allowed attackers to reset passwords without verifying that email addresses matched the targeted Instagram accounts, enabling account takeovers of users without two-factor authentication. Meta discovered the breach on May 31, 2026, with attacks starting around April 17, 2026. The company disabled the vulnerable support system, invalidated all generated password reset links, secured affected accounts, and required password resets and re-authentication. Meta plans to fix the authentication checks before re-launching the tool and is reviewing other account recovery flows for similar issues. The attackers may have accessed personal data including contact information, social media content, messages, and linked accounts. No known exploits in the wild beyond this incident have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers exploited a vulnerability in Meta's AI-assisted Instagram account recovery tool called High Touch Support (HTS). The flaw was that HTS did not verify whether the email address used for password reset requests was associated with the targeted Instagram account. This allowed attackers to obtain password reset links and hijack accounts lacking two-factor authentication. Meta detected the breach on May 31, 2026, with initial exploitation around April 17, 2026. The company disabled the HTS system and all related reset links, secured compromised accounts, and mandated password resets and re-authentication for affected users. Meta is fixing the verification process in the recovery tool and reviewing similar systems across its platforms to prevent recurrence. The breach potentially exposed users' personal information and social media content.
Potential Impact
The vulnerability led to the compromise of over 20,000 Instagram accounts. Attackers gained unauthorized access by resetting passwords without proper verification, affecting users without two-factor authentication enabled. Potentially exposed data includes contact information (email, phone), dates of birth, social media posts, direct messages, account activity, profile information, and linked accounts. Meta has secured impacted accounts and invalidated all password reset links generated by the compromised system. There is no indication of further exploitation beyond this incident.
Mitigation Recommendations
Meta has disabled the vulnerable AI-powered High Touch Support system and invalidated all password reset links it generated. Affected accounts have been secured with mandatory password resets and re-authentication. Prior to re-launching the recovery tool, Meta will implement proper verification of email addresses against account information to prevent unauthorized password resets. Additionally, Meta is conducting a comprehensive review of similar account recovery processes across its platforms. Users are advised to enable two-factor authentication to enhance account security. Patch status is not explicitly stated but Meta is actively remediating the issue and securing accounts.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/","fetched":true,"fetchedAt":"2026-06-08T06:05:07.247Z","wordCount":897}
Threat ID: 6a265b93e29bf47b50a82070
Added to database: 6/8/2026, 6:05:07 AM
Last enriched: 6/8/2026, 6:05:23 AM
Last updated: 6/8/2026, 11:42:02 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.