Meta said a flaw in its Instagram account recovery system led to the takeover of more than 20,000 accounts, after attackers used the company’s AI-assisted support tool to reset passwords and bypass protection on accounts without two-factor authentication.
KEY FACTS
- Incident Attackers used High Touch Support, an AI-assisted recovery tool, to generate password reset links.
- Scale Meta said the issue affected more than 20,000 Instagram users.
- Timeline The company said it discovered the vulnerability on May 31, 2026, and Maine filing materials point to April 17 as the breach date.
- Impact The disclosure says exposed data could include contact details, posts, messages, profile information and linked services.
In a data breach letter filed with Maine’s Office of the Attorney General, the company said a vulnerability in an Instagram recovery support tool was used to potentially compromise the accounts of 30 users in that jurisdiction. It added that all affected accounts were secured.
The attack worked because the recovery system did not verify whether email addresses were linked to the targeted Instagram accounts before issuing password reset links. That allowed unauthorized third parties to reset passwords on accounts that lacked two-factor authentication.
Meta said it disabled the AI-powered support system and invalidated the reset links it had generated. The company also placed potentially affected accounts into a mandatory security checkpoint and asked users to reset passwords again and re-authenticate.
The disclosure said Meta does not know what personal information was accessed or stolen. It listed contact information, dates of birth, social media content, direct messages, account activity, profile information and other connected accounts as data that could have been reached.
WHY IT MATTERS
The case shows how account recovery systems can become a route into large numbers of accounts if identity checks are weak. For users, the main risk is account loss and exposure of personal data when password reset tools are abused.