Over 20,000 Instagram accounts stolen in Meta AI support hack
Meta has disclosed that more than 20,000 Instagram users were affected by a security incident in which attackers exploited an AI-powered account recovery tool to take over accounts.
The flaw existed within Meta’s High Touch Support (HTS) system, which failed to verify whether an email address was actually linked to the Instagram account being recovered. By abusing this weakness, attackers were able to obtain password reset links and gain access to accounts that did not have two-factor authentication (2FA) enabled.
Following widespread reports from affected users on social media, Meta’s Vice President of Communications, Andy Stone, confirmed that the issue had been fixed and that impacted accounts were being secured.
Meta also informed regulators about the breach. In a notification filed with Maine’s Office of the Attorney General, the company stated that a vulnerability in Instagram’s AI-assisted account recovery system was exploited by unauthorized parties to perform password resets on user accounts.
According to the filing, Meta discovered the vulnerability on May 31, 2026. Although the company did not specify when the attacks began, the breach report lists April 17, 2026, as the incident date, which may indicate when the first successful exploitation occurred.
Meta said it cannot determine exactly what information may have been accessed, but attackers potentially gained access to user contact details, including email addresses and phone numbers, dates of birth, profile information, photos, videos, stories, direct messages, account activity history, and linked accounts or services.
In response, Meta disabled the HTS support system and invalidated all password reset links generated through it to prevent further abuse. The company also placed affected accounts into a mandatory security review process and required impacted users to reset their passwords and re-authenticate their accounts.
Before relaunching the tool, Meta says it will implement stronger verification measures to ensure email addresses are properly validated before password resets can be initiated. The company is also reviewing similar account recovery processes across its platforms to identify and address any related security weaknesses.
This incident adds to a series of privacy and security penalties faced by Meta in recent years. Ireland previously fined the company $264 million over a 2018 data breach that exposed personal information from more than 29 million Facebook accounts. In 2022, Meta was fined €265 million for failing to protect user data from scraping and another €91 million for storing hundreds of millions of user passwords in plaintext.
