San Francisco : Meta has confirmed that more than 20,000 Instagram accounts were compromised after hackers exploited a vulnerability in the company’s AI-assisted account recovery system, raising fresh concerns about online security and account protection.
According to a data breach notification filed with U.S. authorities, the incident affected 20,225 Instagram users and involved a flaw in Meta’s High Touch Support (HTS) system, an AI-powered tool designed to help users recover access to locked accounts.
Meta said it discovered the vulnerability on May 31, although investigators believe the breach may have started as early as April 17.
The company has since secured the affected accounts and implemented measures to prevent further unauthorized access.
How the Breach Happened
The security issue was not caused by the account recovery tool itself but by a bug elsewhere in the system. During password reset requests submitted through HTS, the platform reportedly failed to verify whether the email address provided matched the one originally linked to the Instagram account.
As a result, password reset links could be sent to email addresses controlled by attackers instead of legitimate account owners.
Once passwords were changed, hackers gained access to accounts, particularly those that did not have two-factor authentication (2FA) enabled.
Sensitive Data Potentially Exposed
Meta stated that it has not yet determined whether personal information was accessed during the breach. However, affected accounts may have contained sensitive data, including:
- Email addresses
- Phone numbers
- Dates of birth
- Direct messages
- Photos and videos
- Stories
- Profile information
- Account activity records
- Connected service details
The company said investigations remain ongoing.
Meta’s Emergency Action
Following the discovery, Meta disabled the HTS recovery system, invalidated all password reset links generated through the tool, and placed affected accounts under additional security protections.
The company is now notifying users who may have been impacted and is encouraging them to review their account security settings and enable two-factor authentication for added protection.
“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” said Meta in its breach notice.
“As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own,” the company added.
Meta also confirmed that it will fix the verification process before relaunching the recovery tool and is conducting a broader review of similar account recovery systems across its platforms to identify any related vulnerabilities.
Platform Security
The breach comes as Meta continues expanding artificial intelligence features across its products, including Instagram, Facebook, WhatsApp, and Messenger.
Security experts have repeatedly warned that AI-powered systems must undergo rigorous testing to prevent vulnerabilities that could be exploited by cybercriminals.
The company recently introduced stronger online safety measures for younger users worldwide, but the latest incident highlights the ongoing challenges technology firms face in balancing convenience, automation, and cybersecurity.
With more than two billion Instagram users globally, the breach serves as a reminder for users to enable multi-factor authentication and regularly review account security settings to reduce the risk of unauthorized access.
