GoKawiilMeta has revealed that over 20,000 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords.
As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.
By exploiting the fact that HTS didn't verify whether email addresses were associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled.
After a wave of user reports regarding these attacks hit social media platforms, Andy Stone, Meta's vice president of communications, replied to one of the affected users, stating that the "issue has been resolved, and we are securing impacted accounts."
BleepingComputer has also contacted Meta last week for comment on this security breach, but we have yet to hear back.
"We are writing to inform you that a vulnerability in an Instagram account recovery support tool was used to potentially compromise the Instagram accounts of 30 users in your jurisdiction. All accounts have been secured to prevent any continued unauthorized access," Meta said in a data breach letter recently filed with Maine's Office of the Attorney General.
"On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ('High Touch Support' or 'HTS') that was exploited by unauthorized third parties to perform password resets on Instagram user accounts," Meta explained.
While Meta didn't specify when the attacks began in the breach letter, the filing on Maine's OAG website says the breach occurred on April 17, which is likely the date of the first attack exploiting the HTS flaw.
Additonally, although the company said it has no information on what personal information might have been accessed or stolen from the compromised accounts, it noted that the attackers could've gained access to affected Instagram users' contact information (email address and/or phone number), dates of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), as well as other connected accounts and linked services.
Chat with the Meta's AI support HTS agent (@thecomfeed)
... continue reading