A Meta AI support hack has led to the theft of over 20,000 Instagram accounts, as attackers exploited a vulnerability in the company’s AI-powered assistance system. This significant security incident, first reported by BleepingComputer, highlights the evolving risks associated with sophisticated AI tools when not rigorously secured. The breach allowed malicious actors to bypass standard authentication protocols, raising serious concerns for digital security and user trust.
The attackers leveraged a flaw in Meta’s High Touch Support (HTS) tool, an AI-assisted system designed to help users regain access to locked Instagram accounts. The core issue lay in HTS failing to verify if the email address provided for a password reset was actually associated with the target Instagram account. This critical oversight enabled unauthorized parties to receive password reset links, subsequently gaining control of accounts that lacked two-factor authentication (2FA).
“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” stated Amber Hannah, Meta’s associate general counsel for incident response legal.
Exploiting the High Touch Support Vulnerability
The vulnerability’s exploitation began around April 17, 2026, according to Meta’s filing with Maine’s Office of the Attorney General. By providing an unassociated email address, attackers could trick the HTS system into sending password reset links to their chosen inbox, effectively bypassing the legitimate account owner. Once the password was reset, access to the Instagram account became trivial, especially for those without 2FA enabled, which provides an additional layer of security.
Upon discovery of the issue, Meta promptly disabled the affected HTS AI-powered support system and invalidated all password reset links generated by it to prevent further unauthorized access. The company also initiated a mandatory security checkpoint for all potentially compromised accounts, requiring users to reset their passwords and re-authenticate to regain secure control. This swift action aims to mitigate the immediate impact of the Meta AI support hack.
Impact and Meta’s Response to the Instagram Account Theft
While Meta has not specified the full extent of personal information accessed, the attackers could have potentially gained access to a wide range of data. This includes contact information (email/phone), dates of birth, social media posts, direct messages, account activity, and profile information. The breach underscores the extensive personal data held by social media platforms and the severe implications of such security lapses.
This incident is not Meta’s first encounter with significant data security challenges. The company has faced substantial fines in the past, including a $264 million penalty from Ireland over a 2018 Facebook data breach and another €265 million for failing to protect Facebook users’ data from scrapers in 2022. These repeated incidents highlight an ongoing need for enhanced security protocols across all Meta platforms. Investors and users alike will be watching closely for how Meta addresses this latest related Tech news and strengthens its defenses against future AI-driven exploits.
Moving forward, Meta has committed to fixing the authentication check in Instagram’s recovery entry point to ensure proper email verification before any password reset is initiated. Additionally, a comprehensive review of similar account recovery flows across all Meta platforms is underway to identify and remediate any potential issues. This proactive approach is crucial for rebuilding user trust and safeguarding digital identities in an increasingly complex cyber landscape.
