Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

AI-Powered Recovery Tool Opens the Door to Account Takeovers

Meta has confirmed that attackers hijacked more than 20,000 Instagram accounts by exploiting a flaw in an AI-powered account recovery system.

The incident highlights a growing cybersecurity concern. As companies adopt AI to improve customer support, attackers continue to look for weaknesses in automated processes. In this case, a security gap in Meta's recovery workflow allowed threat actors to take control of user accounts.

How the Attack Worked

The attackers targeted Meta's High Touch Support (HTS) platform. This AI-assisted tool helps users regain access to locked Instagram accounts.

Researchers found that the system failed to verify whether a submitted email address actually belonged to the Instagram account being recovered. Because of this flaw, attackers could request password reset links for accounts they did not own.

Once they received the reset links, they changed account credentials and gained access to victim accounts. Users who had not enabled two-factor authentication faced the highest risk.

This attack demonstrates a common security problem. Many organizations focus heavily on login protection. However, attackers often target account recovery systems because they can bypass normal authentication controls.

What Information Could Have Been Exposed?

Meta stated that it has not confirmed exactly what data attackers accessed. However, the company warned that compromised accounts may have exposed a wide range of personal information.

Potentially exposed data includes:

Email addresses
Phone numbers
Dates of birth
Profile information
Photos and videos
Instagram stories
Direct messages
Account activity history
Linked services and connected accounts

The amount of accessible information makes account takeover incidents particularly damaging. Attackers can use stolen data for identity theft, phishing campaigns, social engineering, and additional account compromises.

Meta's Response to the Incident

Meta discovered the vulnerability on May 31, 2026. After identifying the issue, the company acted quickly to stop further abuse.

The company disabled the HTS support platform and invalidated all password reset links generated through the affected system. It also placed impacted accounts into mandatory security reviews.

Additionally, Meta required affected users to reset their passwords and verify account ownership before regaining access.

Before restoring the service, the company plans to strengthen verification checks. Future recovery requests will require proper validation of email addresses before password resets can occur.

Meta is also reviewing similar account recovery workflows across its platforms to identify and fix related security weaknesses.

Why This Incident Matters

This breach offers an important lesson for security teams. AI can improve efficiency and reduce support workloads. However, organizations must apply the same security standards to AI-powered systems that they apply to traditional applications.

A single verification failure can undermine strong authentication controls. As a result, attackers can bypass security measures that organizations spent years building.

The incident also shows why recovery processes deserve regular security testing. Attackers frequently target password reset and account recovery functions because they often receive less scrutiny than login systems.

Security Lessons for Users

Users can reduce their risk by enabling two-factor authentication on all important accounts. Even when attackers obtain passwords or reset links, 2FA adds another layer of protection.

Users should also create unique passwords, monitor account activity, and review account recovery settings regularly.

As organizations expand their use of AI-powered support tools, security teams must ensure that convenience never weakens identity verification. Otherwise, attackers will continue turning automated systems into effective attack paths.