Overview
- Meta disclosed that roughly 20,225 Instagram accounts were potentially accessed through a flaw in its High Touch Support recovery tool, with the company saying it discovered the issue on May 31 and that the first exploit may have begun around April 17.
- Attackers used the HTS workflow to associate attacker‑controlled email addresses with targeted accounts because the system did not verify that the supplied email matched the account on file.
- Accounts without two‑factor authentication were most at risk because possession of the reset link let attackers change passwords and log in, while 2FA blocked many takeover attempts.
- In response Meta disabled the AI recovery tool, removed the vulnerable code path, invalidated reset links, forced affected users through security checkpoints and said it will notify potentially impacted accounts and urge 2FA.
- The incident exposes risks from delegating security‑critical actions to automated AI systems and is likely to increase regulatory and internal reviews of account‑recovery workflows and identity checks.