Confirmed: Meta AI flaw let hackers hijack over 20,000 Instagram accounts

Meta has confirmed that a vulnerability in its AI-powered Instagram account recovery system allowed attackers to take over more than 20,000 Instagram accounts. The flaw was found in Meta's High Touch Support (HTS) tool, an AI-assisted recovery system designed to help users regain access to locked Instagram accounts. According to the company, attackers exploited the flaw to obtain password reset links and gain control of accounts that did not have two-factor authentication (2FA) enabled.

Meta's acknowledgement of the flaw comes after weeks of complaints from Instagram users who reported being locked out of their accounts. Several prominent accounts were also reportedly affected, including the Barack Obama White House account, Sephora's Instagram account, and the Chief Master Sergeant of Space Force account. Responding to one affected user on X, Meta's vice-president of communications, Andy Stone, said the "issue has been resolved" and that the company is securing impacted accounts.

What exactly happened?

According to reports by 404 Media, the hackers took advantage of a critical oversight in Meta's AI support workflow. The HTS system reportedly failed to verify whether an email address provided during account recovery was actually linked to the Instagram account being targeted. Attackers allegedly convinced the support bot to associate a victim's account with a new email address under their control and then requested a password reset. Once they received the reset code, they were able to gain access to the account.

Screenshots and videos circulating on Telegram reportedly showed hackers interacting directly with the AI support assistant. In some cases, attackers are said to have used VPN services to match the account owner's location before initiating the recovery process, making their requests appear more legitimate.

Meta formally disclosed the incident in a data breach notification filed with the Maine Office of the Attorney General, as first reported by BleepingComputer. The company said it discovered the vulnerability on May 31, 2026, and found that unauthorised parties had exploited the flaw to perform password resets on Instagram accounts.

The filing indicates that the breach may have begun as early as April 17, which is believed to be the date of the first successful attack. Meta told Maine authorities that 30 users in the state were affected and that all impacted accounts had since been secured. The company estimated that more than 20,000 Instagram accounts were affected globally by the exploit.

Meta also acknowledged that it cannot determine exactly what information may have been accessed by attackers. However, it suggests that compromised accounts may have exposed email addresses, phone numbers, dates of birth, profile information, photos, videos, Stories, direct messages, account activity records, and details of linked services.

Meta has fixed the issue

Following the discovery of the flaw, Meta disabled the HTS recovery system and invalidated all password reset links generated through the tool. It also put potentially affected users through additional security checks and required password resets before allowing them to regain access to their accounts. The company said it will strengthen the email verification process before relaunching the tool and is reviewing similar recovery systems across its platforms.

Meanwhile, the incident has intensified scrutiny of Meta's broader push to replace traditional customer support with AI. Earlier this year, the company expanded AI-powered support across Facebook and Instagram, allowing the system to handle password resets, account recovery, and security-related requests. However the latest breach now highlights the risks of handing critical security decisions to automated systems without adequate safeguards.