Emerging ThreatsData Breaches

Meta AI Flaw Compromises 20,000 Instagram Accounts

Analyst 207||Source: InfoSecMag
Smartphone with Instagram login screen on display, set against a blurred cityscape background.

“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” Meta wrote to the Main attorney general’s office (OAG).

How the High Touch Support (HTS) flaw let outsiders in

Meta discovered the problem on May 31 in an AI-powered support feature called High Touch Support (HTS), a tool designed to help users locked out of Instagram regain access by sending a new password link. According to Meta’s account, the feature behaved as designed when invoked, but a separate code path failed to verify that the email address supplied by a requester actually matched the email on file for the targeted Instagram account.

Because the system did not reject password-reset attempts that supplied an email address unassociated with the account, malicious actors were able to receive password reset links for accounts they did not own. If the rightful account holder had not enabled two-factor authentication (2FA), the attacker could log in after following the reset link.

20,225 Instagram users affected and the scope of exposed data

Meta’s regulatory filing states that 20,225 Instagram users had their accounts compromised through this vulnerability. The company listed the categories of information exposed as a result of the breach:

  • Contact information (email address and/or phone number)
  • Date of birth
  • Social media posts and content (photos, videos, stories)
  • Direct messages and communications
  • Account activity and interaction history
  • Profile information (biography, profile photo)
  • Connected accounts and linked services

The combination of credential access and the breadth of content and metadata named in Meta’s filing underscores that the incident extended beyond mere login disruption to exposure of private communications and media.

Meta’s immediate fixes and the safety measures imposed on impacted accounts

Meta reports it took several steps once the vulnerability was discovered. The company disabled the AI-assisted HTS tool and the vulnerable code path, and it invalidated all existing password reset links. Affected accounts were enrolled in a “mandatory security checkpoint” that prevented authentication until account access procedures were completed through secure channels.

Meta told impacted users to reset their passwords and reauthenticate through secure, verified channels. The firm also said it will fix the authentication check in Instagram’s recovery entry point before re-launching the tool to ensure email addresses are validated against existing account information prior to initiating any password reset. Additionally, Meta is conducting a comprehensive review of similar account recovery flows across its platforms to identify and remediate any potential issues.

Finally, the company said it is writing to potentially impacted individuals and urging them to review security settings and enable two-factor authentication.

What this means for technologists, affected users, and the OAG

  • Technologists and security teams: The incident highlights the risk that auxiliary code paths — not just primary feature logic — can authoritatively override authentication flows. Teams responsible for account recovery should watch for implicit trust assumptions in secondary code and prioritize end-to-end verification in recovery flows, as Meta has pledged to do.
  • Affected users and the general public: Users whose accounts were compromised have been placed behind mandatory checkpoints and are being asked to reset passwords and reauthenticate. Meta is urging these individuals to enable two-factor authentication as part of the remediation.
  • The Main attorney general’s office (OAG): Meta’s disclosure was made in a letter to the OAG, establishing a regulatory notification and record of the event that may inform any further inquiries or oversight tied to consumer data protection.

Meta’s disclosure provides a clear timeline and a concrete list of technical fixes: the HTS tool and vulnerable path were disabled, reset links invalidated, affected accounts isolated behind a security checkpoint, and a repair to the authentication check is required before the tool can be reinstated. The company also says it will sweep comparable recovery flows across its platforms. The central question left by the timeline embedded in Meta’s filing is how quickly that comprehensive review will identify and eliminate similar verification gaps elsewhere — and how swiftly impacted users will be made whole.

Source: https://www.infosecurity-magazine.com/news/over-20000-instagram-accounts/

Emerging ThreatsSocial MediaMfa BypassAccount CompromiseInstagramMeta AIHigh Touch SupportHTSFlawBug
Related Intelligence

Continue Reading

Brightly-lit office setting with phone on desk, blurred background, and corporate elements.

Threat Actors Exploit Vishing, Physical Intrusions in US Data Extortion Campaign

Meet UNC3753, a notorious group of threat actors using clever voice phishing and social engineering tactics to infiltrate US corporate environments and steal sensitive data. Their deceitfully simple attacks start with a phone call or email and quickly escalate into rapid data theft and ransom demands.

Analyst 207
Smartphone on a neutral surface with blurred cityscape or office background.

Meta Exposes Flaw in AI Support System Used to Hijack 20,000 Instagram Accounts

Meta revealed that over 20,000 Instagram accounts were hijacked after attackers exploited a vulnerability in its AI-powered support system, allowing them to reset passwords and gain unauthorized access. The flaw was found in a system called High Touch Support, an AI-assisted account recovery tool designed to help users regain control of their accounts.

Analyst 207
Law firm's reception desk with phone, notepad, and pen, and blurred office workers or files in the background.

Silent Ransom Group Exploits Law Firms with Fake IT Support Scams

Law firms are being targeted by the Silent Ransom Group through clever fake IT support scams, putting sensitive client information at risk. This sophisticated attack starts with innocent-looking invoice emails that trick victims into calling a phone number, initiating a chain of events that can lead to devastating consequences.

Analyst 207
Cluttered router configuration room with networking equipment and devices scattered across shelves and tables.

C0XMO Botnet Exploits DD-WRT Flaw to Spread, Disrupts Rival Malware

Meet C0XMO, a highly sophisticated botnet malware that's disrupting the status quo with its advanced architecture and modular design, allowing it to spread rapidly by exploiting flaws like the DD-WRT vulnerability CVE-2021-27137. Its operators can easily update and adapt the malware to launch devastating DDoS attacks.

Analyst 207