Hackers hijack over 20,000 Instagram accounts through Meta AI flaw

According to the filing, the incident affected 20,225 Instagram users and stemmed from a flaw in Meta's High Touch Support (HTS) tool, an AI-powered service designed to help users regain access to locked accounts.

Meta said it discovered the vulnerability on May 31, although the breach is believed to have begun on April 17. The company has since secured the affected accounts and taken steps to prevent further unauthorized access.

The issue did not originate from the account recovery tool itself but from a bug in a separate part of the system. When users requested a password reset through HTS, the platform failed to verify whether the email address provided matched the one linked to the Instagram account. As a result, password reset links could be sent to email addresses controlled by attackers rather than legitimate account owners.

Once a password was reset, attackers were able to gain access to accounts that did not have two-factor authentication enabled.

Meta said it has not determined whether personal information was accessed. However, the compromised accounts potentially contained sensitive data, including email addresses, phone numbers, dates of birth, direct messages, photos, videos, stories, profile information, account activity records, and details of connected services.

Following the discovery, the company disabled the HTS system, invalidated all password reset links generated through the tool, and placed affected accounts under additional security controls. Users whose accounts may have been impacted are being notified and advised to review their security settings and enable two factor authentication.

Meta said it will correct the verification process before relaunching the recovery tool and is conducting a broader review of similar account recovery systems across its platforms to identify and address any related vulnerabilities.

Earlier, Qazinform News Agency reported that Meta rolled out stronger teen safeguards worldwide.