Meta disclosed that a critical flaw in its AI-assisted Instagram account recovery tool exposed more than 20,000 user accounts to takeover attacks over a seven-week period in 2026. The vulnerability in the High Touch Support (HTS) tool, which was designed to help users regain access to locked accounts, allowed attackers to reset passwords for any Instagram account by simply providing their own email address. The tool failed to verify whether the submitted email matched the account's registered address before sending password reset links.
The breach window extended from approximately April 17 through early June 2026, with Meta discovering the issue on May 31. During this period, attackers exploited the flaw to gain complete access to compromised accounts, including direct messages, contact information, dates of birth, posts, stories, and linked external services. Accounts without two-factor authentication enabled were particularly vulnerable, as attackers could immediately lock out legitimate owners after resetting passwords.
The technical failure represents a fundamental oversight in identity verification. The HTS system accepted any email address provided during the recovery process and sent password reset links to that address without cross-referencing it against the account's actual registered email. This allowed unauthorized parties to receive reset links for accounts they did not own and subsequently take control if 2FA was not active. The vulnerability went undetected for approximately six weeks before internal discovery.
Following discovery, Meta took immediate remediation steps by disabling the HTS tool entirely, invalidating all reset links generated through the vulnerable pathway, and forcing mandatory security checkpoints for all potentially affected accounts. The company implemented full password resets and re-authentication requirements for impacted users. Meta has also initiated a review of similar account recovery mechanisms across all its platforms, suggesting concerns about potential parallel vulnerabilities in other systems.
This incident adds to Meta's growing list of security failures, following previous penalties including a $264 million fine for a 2018 Facebook breach affecting 29 million accounts and a €91 million fine for storing hundreds of millions of passwords in plaintext. California Attorney General Rob Bonta and 39 other state attorneys general have called on Meta to strengthen protections against account takeovers. Meta is notifying affected users and recommending they enable two-factor authentication and review their security settings immediately.
Source https://securityaffairs.com/193307/ai/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts.html