Meta Platforms has disclosed that a flaw in an AI-assisted Instagram account recovery workflow likely allowed attackers to reset passwords and gain access to more than 20,000 accounts, intensifying scrutiny of how automated support systems handle identity verification.The breach involved Instagram’s High Touch Support system, an AI-assisted recovery tool designed to help users regain control of locked accounts. Meta said the vulnerability was discovered on 31 May 2026 and involved a separate code path that failed to confirm whether an email address submitted for a password reset matched the email already linked to the account. The failure meant reset links could be sent to addresses controlled by attackers rather than to the rightful account holders.
The company put the affected figure at 20,225 accounts, describing it as an upper-bound estimate because some access attempts may have been legitimate. The incident affected accounts that had their passwords reset through the support tool, lacked two-factor authentication, and were likely accessed by an unauthorised party. Meta has said it is not aware of specific evidence that personal data was viewed or extracted, but acknowledged that account access could have exposed emails, phone numbers, dates of birth, posts, photos, videos, stories, direct messages, profile information, account activity and linked services.
The episode appears to have unfolded over several weeks. The breach window began on 17 April and was detected on 31 May, with Meta saying it resolved the immediate issue by 1 June. Attack instructions circulated online as attackers used the recovery process to request password resets for accounts they did not own. Some reports linked the exploit to takeovers of prominent accounts, including public-facing profiles associated with official or high-profile entities, though Meta’s formal disclosure focused on the broader affected-user count and the mechanics of the flaw.
Meta’s response included disabling the High Touch Support system, removing the faulty code path, invalidating password reset links generated through the exploit, resetting affected account passwords and placing potentially affected users into a mandatory security checkpoint. The company said users would have to authenticate again through verified channels before regaining access. It also said it would repair the authentication check before relaunching the tool and review similar account recovery flows across its platforms.
The case underlines a growing risk for technology companies that are embedding AI into support, safety and account-management functions. Automated systems can reduce response times and support costs, but account recovery is a high-risk function because it can directly trigger privileged actions such as password resets, email changes and restored access. Security specialists have warned that AI tools used in these workflows need the same controls as conventional identity and access-management systems, including strict validation, audit logs, abuse monitoring and limits on what automated agents can approve without human review.
The flaw also highlights the continuing importance of two-factor authentication for Instagram users. Accounts without 2FA were exposed to takeover once a reset link was obtained, while stronger authentication would have added another barrier before an attacker could gain full control. Meta has urged affected users to review account settings, use strong passwords and enable two-factor authentication, especially for accounts used by creators, brands, public figures and organisations whose profiles carry commercial or reputational value.
Topics
Technology