← All articles

Instagram AI recovery flaw let attackers hijack 20,000 accounts

Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.

Check
Confirm two-factor authentication is enabled on your Instagram and other Meta accounts, and review login activity and linked email addresses for unauthorized changes since mid-April.
Affected
Instagram accounts (about 20,225 confirmed), particularly high-value or verified accounts without two-factor authentication, that could be reset through the flawed High Touch Support recovery tool.
Fix
Turn on two-factor authentication, review and remove unrecognized linked emails and active sessions, and reset your password. Meta has secured affected accounts and is patching the recovery flow.