More than 20,000 Instagram accounts were hijacked after attackers exploited Meta’s AI-powered support system to reset passwords, the company has revealed.
High Touch Support (HTS): the exploited AI recovery flow
According to Meta, the vulnerability lay in an AI-assisted account recovery system for Instagram called "High Touch Support" or HTS. Meta said in a breach letter that on May 31, 2026 it "discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ('High Touch Support' or 'HTS') that was exploited by unauthorized third parties to perform password resets on Instagram user accounts."
BleepingComputer reported the initial exploitation one week earlier, describing how threat actors took advantage of HTS failing to verify whether email addresses were associated with the targeted Instagram accounts. That gap allowed attackers to obtain password reset links and log in to accounts that did not have two-factor authentication (2FA) enabled.
Scope and types of data potentially accessed
Meta told regulators that more than 20,000 Instagram users had their accounts hijacked in the incident. A separate breach notification filed with Maine's Office of the Attorney General said the company identified a vulnerability "that was used to potentially compromise the Instagram accounts of 30 users in your jurisdiction." The filing on the Maine OAG website lists April 17 as the date of the breach, which Meta’s filing says is likely the date of the first attack exploiting the HTS flaw.
In the breach letter Meta also said it has "no information on what personal information might have been accessed or stolen from the compromised accounts," but it listed the types of information attackers could have gained access to. Those items include contact information (email address and/or phone number), dates of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), and other connected accounts and linked services.
Meta's immediate actions and planned fixes
After the wave of public reports, Andy Stone, Meta’s vice president of communications, replied to an affected user on social media saying the "issue has been resolved, and we are securing impacted accounts." Meta disabled the HTS AI-powered support system and invalidated all password reset links that HTS had generated to block further hijack attempts tied to the same malicious campaign.
Meta said it enrolled all potentially compromised accounts into a mandatory security checkpoint and asked affected users to reset their passwords and re-authenticate to regain control. Meta also stated that "Prior to re-launching the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated." The company added it is "conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues."
BleepingComputer reports it contacted Meta last week for comment on the breach and has not yet received a reply beyond the public statements and the breach filing.
Regulatory context: Maine filing and recent fines
The incident generated a formal notification in at least one U.S. jurisdiction. Meta’s letter to Maine’s Office of the Attorney General explicitly informed the regulator that 30 accounts in that jurisdiction "were used to potentially compromise" user accounts and that "All accounts have been secured to prevent any continued unauthorized access."
The filing comes against a backdrop of several high-profile regulatory penalties noted in Meta’s disclosures: Ireland fined Meta $264 million over a 2018 data breach that exposed names, email addresses, phone numbers, and physical locations of more than 29 million Facebook accounts; Meta was also fined €265 million ($275.5 million) in November 2022 for failing to protect Facebook users' data from scrapers, and fined another €91 million ($100 million) for storing passwords of hundreds of millions of users in plaintext.
What this means for Instagram users, security teams, and regulators
- Instagram users: Those affected face potential exposure of personal content and communications listed by Meta. Meta has required password resets and re-authentication for impacted accounts and disabled the HTS tool until verification checks are fixed.
- Security teams and technologists: The incident highlights how automation in account recovery — specifically an AI-assisted flow that omitted verification of email-account association — can be abused to generate valid password reset tokens. Meta says it will review similar account recovery flows across its platforms.
- Regulators and privacy officials: The breach notification to Maine and the company’s reference to past fines underscore that this incident will form part of ongoing regulatory scrutiny. The Maine filing gives a concrete local count (30 accounts) while Meta’s overall figure exceeds 20,000 affected accounts.
The facts on record show a concrete technical failing — an authentication check missing in HTS — produced broad account takeovers, prompting Meta to halt the tool, invalidate generated reset links, and force security checkpoints. Meta has laid out the next step it will take before any relaunch: fixing the email-account verification in the Instagram recovery entry point and reviewing other recovery flows. One clear, immediate question remains in the public record: when will Meta complete those fixes and re-launch HTS so users can safely access legitimate recovery help?
