Meta AI Support Flaw Led to 20,225 Instagram Account Takeovers

A vulnerability in Meta’s AI-assisted account recovery system allowed attackers to hijack 20,225 Instagram accounts by redirecting password reset links to email addresses they controlled.

The flaw affected High Touch Support, or HTS, an AI-powered system designed to help locked-out Instagram users recover their accounts. The recovery process failed to properly confirm that a newly submitted email address was already associated with the account being targeted.

Attackers could therefore request a password reset link, send it to their own email address and change the victim’s password. Accounts without two-factor authentication were especially vulnerable because attackers could log in immediately after completing the reset.

Meta discovered the vulnerability on May 31, 2026, according to a breach notification filed with the Maine Office of the Attorney General. The filing lists April 17 as the date of the breach, indicating the campaign may have continued for more than a month before Meta identified it.

“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” said Amber Hannah, Meta’s associate general counsel for incident response legal.

Meta said it does not know exactly what information attackers accessed. Compromised accounts could have exposed email addresses, phone numbers, dates of birth, profile information, photos, videos, stories, direct messages, account activity and connected services.

The company disabled the HTS system, invalidated previously generated reset links and placed potentially compromised accounts behind a mandatory security checkpoint. Affected users were required to reset their passwords and authenticate again.

Andy Stone, Meta’s vice president of communications, said the “issue has been resolved, and we are securing impacted accounts.”

The incident highlights a larger cybersecurity problem as companies give AI agents permission to perform sensitive actions such as resetting passwords and changing identity credentials.

“This is a great illustration of why AI agent authorization is the harder, and more critical, problem than authentication,” said Dan Moore, senior director of CIAM strategy and identity standards at FusionAuth. “Meta's bot verified nothing about who was asking; it just helpfully did what it was told to do, up to and including sending the attacker email a confirmation code to make sure the new email address was valid.”

Moore said the technology industry has focused heavily on preventing AI systems from generating harmful content while paying less attention to whether those systems should be permitted to perform high-risk actions.

“The industry is pretty focused on keeping AI from saying bad things. That’s fine, as long as we don’t completely overlook whether AI should be allowed to do what it's trying to do,” Moore said.

Rishi Kaushal, CIO at Entrust, said account recovery should be treated as a high-value identity transaction rather than a low-friction support request.

“When AI systems have elevated permissions like password resets or identity authentication, strong, layered identity controls become critical,” Kaushal said. “Rather than treating password resets as low-friction support tasks, they should be handled as high-value identity events, requiring step-up verification similar to financial transactions.”

Kaushal added that deepfakes and synthetic identities are making basic verification methods less reliable.

“Combining KYC-grade identity assurance with liveness detection significantly strengthens defenses,” he said.

Meta said it will repair the authentication check before restoring HTS and is reviewing similar recovery processes across its platforms. The breach shows that AI support agents need strict authorization limits, independent identity checks and additional verification before they are allowed to alter account access.