US-based social media giant Meta has confirmed that a vulnerability in its AI-powered Instagram account recovery system allowed attackers to take over more than 20,000 Instagram accounts. The issue was found in Meta’s High Touch Support (HTS) tool, an AI-assisted recovery system designed to help users regain access to locked Instagram accounts. As per the company, the cyber attackers exploited the flaw to get password reset links and gain control of accounts that did not have two-factor authentication (2FA) activated.
The social media giant admitted the flaw after weeks of complaints from Instagram users who reported being locked out of their accounts. Several prominent accounts were also reportedly affected consisting of the Barack Obama White House account, Sephora’s Instagram account, and the Chief Master Sergeant of Space Force account. Responding to one of the affected users on X, Meta’s vice president of communications, Andy Stone, said the “issue has been resolved” and that the company is safeguarding impacted accounts.
Thank you for raising this. While we have already secured impacted accounts, we are now working to restore access to affected individuals. Some people may receive password reset notifications and some may be asked security questions when they try and log into their accounts.
— Andy Stone (@andymstone) June 2, 2026
How The Hackers Pulled It Off
As per the 404 Media report, the hackers took advantage of a critical oversight in Meta’s AI support workflow. The HTS system reportedly failed to verify whether an email address provided during account recovery was actually linked to the Instagram account being targeted.
In a letter to the Maine attorney general’s office, Meta admitted that a bug in a separate code path meant the system never actually checked if the email entered during a password reset matched the one on the account. So when a hacker typed in their own email, the system just sent the reset link there instead of flagging it as wrong. That is a pretty basic check to miss.
Hackers also used a VPN to fake their location, picking one close to the target so Instagram’s systems would not raise any red flags.
When Did Meta Find Out
Meta says it discovered the vulnerability on May 31, 2026. But the filing with Maine’s attorney general suggests attacks may have started as early as April 17. That means hackers had over a month to quietly work through accounts before anyone at Meta noticed.
What Meta Did After The Breach
Once the issue was caught, Meta shut down the HTS tool entirely and cancelled all password reset links that had been generated through it. Affected accounts were put into a mandatory security checkpoint so no one could log in until the real owner verified themselves. Users were also told to reset their passwords through secure channels.
It was a fast response once they knew. The problem is how long it took to find out in the first place.
What Users Should Do Right Now
If two-factor authentication is not turned on for your Instagram account, switch it on today. The hackers in this case went after accounts without 2FA because those were the easiest to take over. With 2FA on, even if someone gets your password, they still cannot get in without a second code that only you receive.
Also check your account’s login activity for anything suspicious, and change your password if you have not done so recently.
The Bigger Problem With AI-Powered Support
This whole incident points to something worth thinking about. Handing over sensitive tasks like account recovery to an AI system carries real risk. One logic flaw in the code and tens of thousands of accounts are suddenly up for grabs. The HTS tool was built to help people, and it did, until it did not. The question now is whether Meta, and other companies doing the same thing, are testing these systems carefully enough before they go live.
Syed Ziyauddin is a media and international relations enthusiast with a strong academic and professional foundation. He holds a Bachelor’s degree in Mass Media from Jamia Millia Islamia and a Master’s in International Relations (West Asia) from the same institution.
He has work with organizations like ANN Media, TV9 Bharatvarsh, NDTV and Centre for Discourse, Fusion, and Analysis (CDFA) his core interest includes Tech, Auto and global affairs.
Tweets @ZiyaIbnHameed
