www.it-connect.fr
Instagram Accounts Compromised After Meta Support Tool Flaw Exposes Password Reset Links
A security flaw in Meta's High Touch Support (HTS) tool allowed attackers to take control of more than 20,000 Instagram accounts. By exploiting this vulnerability in a tool where AI appears to have been poorly implemented, attackers were able to receive password reset links at their own email address. Here's what we know about this security incident.
Table of Contents
When AI Hands Password Reset Links to Strangers
This case began on May 31, 2026, when Meta discovered a security flaw in its AI-assisted support tool, called High Touch Support (HTS). This interactive tool is designed to help users regain access to their Instagram account, especially when the account is locked (too many invalid login attempts, for example).
The problem is that this vulnerability allowed attackers to hijack the tool and take over more than 20,000 Instagram accounts. By simply providing an email address not linked to the targeted account (but one the attacker had access to), the system blindly sent the password reset link to that external address instead of rejecting the request.
Once the email was received by Meta's tool, the attacker only had to click it to change the password and seize control of the targeted accounts. However, accounts protected by two-factor authentication (2FA) were safe from this attack.
This means there was no verification: it almost looks like a beginner mistake, because the logic error is so glaring. In principle, this tool should check whether the specified email address matches the one listed in the Instagram account settings.
But according to the official documents filed with the Maine Attorney General's office by Amber Hannah, Meta's general counsel, this is apparently how it was intended to work.
"Users can request assistance from HTS and, as part of this process, request that a password reset link be sent to their email address. The tool itself was functioning correctly and as intended; however, due to a bug in a separate code path, the system did not properly verify that the email address provided by the person requesting a password reset matched the email address associated with that user's Instagram account.", we can read in this document.
Thousands of Personal Data Records Potentially Exposed
In total, exactly 20,225 Instagram users had their accounts hacked as part of this malicious campaign. Although Meta says it does not have precise information about the exact nature of the data that may have been stolen by the attackers, taking control of an Instagram account can potentially grant access to a great deal of data:
- Contact information (email addresses and/or phone numbers)
- Dates of birth
- Social media posts and content (social networks) (photos, videos, stories)
- Direct messages (private conversations)
- Account activity and interaction history
- Profile information (bio, profile picture)
- Other connected accounts and linked services
For posts, this may not be particularly concerning, but for personal information and private conversations, it is much more embarrassing...
HTS Tool Temporarily Taken Offline...
While waiting to improve it, Meta has disabled its AI-based HTS support system.
"Before relaunching the tool, Meta will fix authentication verification in Instagram's recovery entry point to ensure proper validation of email addresses against existing account information before a password reset is initiated.", Amber Hannah said. In addition, Meta says it will review these other account recovery tools to ensure they do not suffer from a security issue that could put users' accounts at risk.
Meta also took two additional steps to protect affected users:
- All password reset links generated by this tool have been revoked, as a precaution.
- All impacted accounts are being redirected to a security check, where users will need to re-authenticate and change their password again.
If you use Instagram and have not already done so, enable multi-factor authentication.
