Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw
Meta has confirmed that attackers hijacked more than 20,000 Instagram accounts by exploiting a flaw in an AI-powered account recovery system.
The incident highlights a growing cybersecurity concern. As companies adopt AI to improve customer support, attackers continue to look for weaknesses in automated processes. In this case, a security gap in Meta’s recovery workflow allowed threat actors to take control of user accounts.
How the Attack Worked
The attackers targeted Meta’s High Touch Support (HTS) platform. This AI-assisted tool helps users regain access to locked Instagram accounts.
Researchers found that the system failed to verify whether a submitted email address actually belonged to the Instagram account being recovered. Because of this flaw, attackers could request password reset links for accounts they did not own.
Once they received the reset links, they changed account credentials and gained access to victim accounts. Users who had not enabled two-factor authentication faced the highest risk.
This attack demonstrates a common security problem. Many organizations focus heavily on login protection. However, attackers often target account recovery systems because they can bypass normal authentication controls.
What Information Could Have Been Exposed?
Meta stated that it has not confirmed exactly what data attackers accessed. However, the company warned that compromised accounts may have exposed a wide range of personal information.
Potentially exposed data includes:
- Email addresses
- Phone numbers
- Dates of birth
- Profile information
- Photos and videos
- Instagram stories
- Direct messages
- Account activity history
- Linked services and connected accounts
The amount of accessible information makes account takeover incidents particularly damaging. Attackers can use stolen data for identity theft, phishing campaigns, social engineering, and additional account compromises.