Meta has acknowledged a major security lapse in its AI-powered Instagram account recovery system that allowed hackers to take control of more than 20,000 user accounts worldwide. The vulnerability, discovered within the company’s High Touch Support (HTS) tool, has raised fresh concerns about the risks associated with relying on artificial intelligence for critical account security functions.

AI Recovery Tool Exploited by Hackers

The flaw was found in Meta’s HTS system, a support mechanism designed to help users regain access to locked Instagram accounts. According to reports, attackers exploited a weakness in the recovery process that failed to properly verify whether an email address submitted during account recovery actually belonged to the account owner.

By manipulating the AI-powered support workflow, hackers were reportedly able to associate targeted accounts with email addresses under their control. Once the new email address was linked, they requested password reset links and gained unauthorized access to the accounts.

Accounts without two-factor authentication (2FA) were particularly vulnerable to the attack.

High-Profile Accounts Among Victims

The breach affected a wide range of users, including several high-profile accounts. Reports indicate that the Barack Obama White House Instagram account and accounts belonging to major brands such as Sephora were among those targeted.

Meta’s Vice President of Communications, Andy Stone, responded publicly to user concerns, stating that the issue has been fixed and that the company is working to secure affected accounts.

Investigation Reveals Months-Long Exploitation

Meta disclosed the incident in a data breach notification submitted to the Maine Office of the Attorney General. The company said it first identified the vulnerability on May 31, 2026, although evidence suggests exploitation may have begun as early as April 17.

Screenshots and videos shared on Telegram reportedly showed hackers interacting directly with the AI support assistant. Some attackers allegedly used VPN services to mimic the locations of account owners, making recovery requests appear legitimate.

User Data Potentially Exposed

While Meta has not confirmed exactly what information was accessed, the company warned that compromised accounts may have exposed sensitive user data. This could include email addresses, phone numbers, dates of birth, profile information, photos, videos, Stories, and direct messages.

Meta Suspends Recovery System

In response, Meta has suspended the HTS recovery tool, invalidated all password reset links generated through it, and required affected users to reset their passwords before regaining access. The company is also strengthening its email verification procedures and reviewing similar AI-driven recovery systems across its platforms.

The incident has intensified debate over the growing use of artificial intelligence in customer support, highlighting the importance of robust safeguards when AI systems are entrusted with sensitive security functions.

Long or Short, get news the way you like. No ads. No redirections. Download Newspin and Stay Alert, The CSR Journal Mobile app, for fast, crisp, clean updates!

App Store –  https://apps.apple.com/in/app/newspin/id6746449540 

Google Play Store – https://play.google.com/store/apps/details?id=com.inventifweb.newspin&pcampaignid=web_share