Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: meta (2 articles)Clear

Instagram AI recovery flaw let attackers hijack 20,000 accounts

Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.

Check
Confirm two-factor authentication is enabled on your Instagram and other Meta accounts, and review login activity and linked email addresses for unauthorized changes since mid-April.
Affected
Instagram accounts (about 20,225 confirmed), particularly high-value or verified accounts without two-factor authentication, that could be reset through the flawed High Touch Support recovery tool.
Fix
Turn on two-factor authentication, review and remove unrecognized linked emails and active sessions, and reset your password. Meta has secured affected accounts and is patching the recovery flow.

Hackers social-engineer Meta's new AI account-recovery bot to hijack high-value Instagram handles; MFA-enabled accounts were unaffected

Krebs on Security reports that attackers social-engineered Meta's newly-deployed conversational AI account-recovery assistant to hijack high-value, short Instagram handles allegedly worth over half a million dollars. Meta had rolled out the AI layer to reduce friction in common recovery workflows - relinking emails, triggering password resets, verifying ownership - that previously required weeks of back-and-forth with automated ticketing. Just as human support staff can be tricked into granting unauthorized access, the AI assistant proved equally eager to help and vulnerable to manipulation. Meta pushed an emergency patch over the weekend and says no back-end database was breached. Critically, the exploit failed against any account with MFA enabled.

Check
For high-value social accounts, enable phishing-resistant MFA (passkey or security key) now. Review whether any platforms you depend on use AI bots for sensitive account-recovery workflows.
Affected
High-value Instagram accounts without MFA. More broadly, any platform deploying AI chatbots for account recovery creates a social-engineerable attack surface, just like human support staff.
Fix
Enable the strongest MFA available - even SMS codes blocked this exploit. Treat AI-driven account-recovery flows as a new attack surface and require step-up verification for high-value account changes.