- Meta confirms 20,225 Instagram accounts hit by HTS password‑reset flaw
- Bug let attackers request resets to unassociated emails
- HTS disabled, passwords reset, full recovery‑flow review underway
Last week’s attack against Meta’s customer support affected just over 20,000 accounts, the company has now confirmed. Hackers managed to break into these profiles and most likely exfiltrate the data found inside.
Last week, news broke that cybercriminals exploited a vulnerability in Meta’s AI-powered customer support service, tricking it into sending password reset codes for other people’s accounts.
Now, the Facebook and Instagram owner filed a new report with the Office of the Maine Attorney General, in which it stated that 20,225 persons were affected. In a letter Meta sent to the Maine AG, it was said that the company discovered a flaw in High Touch Support (an AI-assisted account recovery system for Instagram) on May 31, 2026.
Mitigating the intrusion
“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request,” Meta explained.
The company says there is no evidence of data exfiltration, but leaves it as a possibility, given that the crooks were able to easily access it. That includes contact information (email address and/or phone number), date of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), and connected accounts and linked services.
To address the issue, Meta disabled the HTS system and reset the passwords for all affected profiles. It also enrolled all targeted accounts into a mandatory security checkpoint and asked all users to re-authenticate.
"Prior to re-launching the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated," Meta stressed. "Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues.”
Muhammad Yahya Patel, vCISO & Cybersecurity Advisor at Huntress, said:
"This is a new category of risk that the industry needs to start taking seriously. As AI is embedded into operational workflows, customer support, identity verification, and access management. The attack surface shifts from technical vulnerabilities to logical ones.
Any organisation deploying AI into support, identity, or access workflows needs to ask one question before go-live: what happens if an attacker treats this tool as the attack surface? AI systems that can trigger privileged actions such as password resets, account access, data retrieval this needs the same rigorous access controls and verification logic as any other privileged system. The fact that it’s AI-powered doesn’t make it lower risk. Right now, for many organisations, it’s making it higher.
The more significant issue is what this signals about the security review process for AI-powered tools before they go into production".
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.