Over 20,000 Instagram accounts were hijacked after attackers figured out how to weaponize Meta’s AI-powered support system against its own users. The weapon of choice? A tool called High Touch Support (HTS) — designed to help locked-out users regain access to their accounts. Instead, it became the skeleton key that let attackers walk right in.
How the Attack Worked
Here’s the critical flaw: HTS didn’t properly verify whether an email address was actually associated with the Instagram account it was supposedly helping recover. Attackers exploited this gap to obtain password reset links for accounts they didn’t own. Once they had the link, they could reset the password, log in, and take full control — all without needing to touch the victim’s two-factor authentication.
The campaign started as far back as April 17, 2026, but Meta didn’t discover it until May 31. That’s a six-week window where attackers had free rein.
What Was Exposed
While Meta says it has no confirmed evidence of what data the attackers actually pulled, the potential exposure is significant. Anyone who got in could’ve accessed email addresses, phone numbers, dates of birth, entire post histories (photos, videos, stories), direct messages, profile information, and linked accounts. For some users, that’s essentially their entire digital life.
Meta disclosed the breach in a letter filed with Maine’s Office of the Attorney General, confirming 30 users in that jurisdiction alone were affected — though the global toll exceeds 20,000 accounts.
Meta’s Response
After user reports flooded social media, Meta VP of Communications Andy Stone responded that “the issue has been resolved and we are securing impacted accounts.” The company disabled the HTS tool entirely, invalidated all outstanding password reset links, and forced mandatory security checkpoints on every potentially compromised account.
Affected users had to reset their passwords again and re-authenticate from scratch. Before relaunching HTS, Meta says it’ll fix the authentication check to properly verify email addresses against account information — and it’s reviewing similar recovery flows across all its platforms.
The Bigger Pattern
This isn’t Meta’s first rodeo with security failures. Ireland previously fined the company $264 million over a 2018 Facebook data breach. And this incident highlights a growing concern: the security of AI-assisted support systems themselves. Companies are racing to deploy AI tools for customer service, but if those tools don’t have rigorous identity verification baked in, they become the weakest link in the chain.
What You Should Do Right Now
If you’re an Instagram user — and statistically, that’s most people reading this — take these steps now. Enable two-factor authentication using an authenticator app, not SMS. Make sure your recovery email is current and secured with its own 2FA. Check your account for unfamiliar login activity under Settings → Security → Login Activity. And be suspicious of any unexpected password reset emails, even if they look legit.
What’s Next
Meta says it’s auditing account recovery flows across all its platforms, which includes Facebook, WhatsApp, and Threads. That’s a good sign, but the real question is whether this kind of vulnerability exists in other companies’ AI support systems too. As more platforms roll out AI-assisted customer service, expect attackers to probe these tools for similar weaknesses. This won’t be the last time an account recovery system becomes an account takeover system.
