Meta has told regulators that attackers gained access to up to 20,225 Instagram accounts after exploiting a flaw tied to High Touch Support, an AI-assisted account recovery system.
Good to know
The breach centred on account recovery, not a direct break into Instagram passwords. Attackers used High Touch Support to request password reset links for accounts they did not own. A separate code path then failed to confirm that the email address in the request matched the email address on the Instagram account.
Amber Hannah, Meta associate general counsel, explained the issue in the company notice to regulators:
“The tool itself worked properly and functioned as intended; however, due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.
As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own.”
Meta said the exploit happened in April and was discovered at the end of May. Reporting based on the Maine filing said the company resolved the incident on June 1 and counted 20,225 potentially affected accounts. Meta also said the figure represents an upper bound because some resets may have been legitimate.
Potentially exposed information may include contact details, birth dates, direct messages, posts, account activity, profile details, and connected accounts. Meta said it was not certain what personal data attackers accessed.
Meta responded by disabling High Touch Support, invalidating password reset links generated through the flawed route, removing the vulnerable code path, and requiring affected users to pass a security checkpoint before returning to their accounts.
The company has not offered identity protection services to affected users, according to the breach notice details. Several law firms have since announced class action investigations tied to the Instagram account takeover incident.
The case adds another warning for AI-assisted support tools. Account recovery systems carry high risk because they can reset access to private profiles, payment-linked services, and connected accounts. When AI support tools can trigger privileged actions, companies need strict checks around identity, email ownership, and reset link delivery.