Meta Instagram 'High Touch Support' account-takeover breach (2026)
Attackers abused a verification flaw in Meta's AI-assisted Instagram account-recovery tool, High Touch Support, to trigger password resets and hijack 20,225 accounts before Meta detected and disabled the tool.
- Victim
- Meta Platforms (Instagram)
- users
- 20.2K
On 8 June 2026, Meta Platforms — the operator of Instagram — disclosed that attackers had hijacked 20,225 Instagram accounts by abusing a flaw in High Touch Support (HTS), an AI-assisted account-recovery tool meant to help locked-out users regain access. In a filing to the Maine Attorney General's office, Meta said the abuse ran undetected for roughly six weeks before the company caught it.
What happened
HTS is designed to walk users through account recovery when they can no longer log in. The vulnerability was a missing ownership check: the tool did not properly confirm that the email address entered during recovery actually matched the address already tied to the target Instagram account. An attacker could therefore request a password reset for someone else's account and have the reset link delivered to an inbox they controlled.
Because the reset path ran through the support workflow, attackers were able to take over accounts even when the victim had two-factor authentication enabled, sidestepping a control users are repeatedly told to rely on. Meta says the abuse began around 17 April 2026 and was not discovered until 31 May 2026; it then pulled the tool offline and invalidated every reset link HTS had generated.
Impact
- 20,225 Instagram accounts were taken over via the recovery-tool flaw.
- The abuse window stretched roughly seven weeks (mid-April to early June) before detection.
- Reported high-profile targets included a dormant Obama-era White House account and a U.S. Space Force senior enlisted leader's account.
- Meta plans to notify affected users from 19 June 2026 and to urge them to review security settings and enable two-factor authentication.
No specific threat-actor group has been publicly named as responsible.
Why it matters
The breach is a cautionary tale about support and account-recovery tooling as an attack surface — and, increasingly, about AI-assisted support flows that automate decisions a human reviewer might once have caught. The most damaging detail is that a flaw in the recovery path neutralised two-factor authentication for the affected accounts: the protection users are told to trust did not help, because the takeover never went through the front-door login at all.
Timeline
Unauthorised parties begin abusing the High Touch Support (HTS) recovery tool to request password resets for accounts they do not own.
Meta discovers the abuse of the HTS tool.
Meta disables HTS and invalidates all password-reset links the tool had generated.
Meta notifies the Maine Attorney General that 20,225 Instagram accounts were affected; the incident is widely reported.
Meta plans to begin notifying affected users electronically and to recommend enabling two-factor authentication.
Sources
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/06/08/instagram-ai-support-vulnerability-account-takeovers/
- securityweek.comhttps://www.securityweek.com/meta-says-20000-instagram-accounts-hacked-via-ai-tool-abuse/
- cybernews.comhttps://cybernews.com/privacy/meta-critical-vulnerability-tool-20k-instagram-user/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/