- Meta Confirms 20,225 Instagram Accounts Affected by HTS Password Reset Vulnerability
- Bug allowed attackers to request reset of unassociated emails
- HTS disabled, passwords reset, full review of recovery flow in progress
Last week’s attack on Meta’s customer support affected just over 20,000 accounts, the company confirmed. Hackers managed to break into these profiles and most likely exfiltrate the data there.
Last week, news broke that cybercriminals had exploited a vulnerability in Meta’s AI-powered customer support service, tricking it into sending password reset codes for other people’s accounts.
Today, the owner of Facebook and Instagram filed a new report with the Maine Attorney General’s Office, in which it states that 20,225 people were affected. In a letter that Meta sent to Maine AG, it was stated that the company discovered a flaw in High Touch Support (an AI-assisted account recovery system for Instagram) on May 31, 2026.
Mitigate intrusion
“The tool itself worked fine and worked as expected; however, due to a bug in a separate code path, the system did not properly verify that the email address provided by the person requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when a person provided an email address not previously associated with the account, the system mistakenly sent a password reset link to that email not associated rather than rejecting the request,” Meta explained.
The company says there is no evidence of data exfiltration, but leaves that as a possibility, given that the crooks were able to access it easily. This includes contact information (email address and/or phone number), date of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), and connected accounts and related services.
To resolve the issue, Meta disabled HTS and reset the passwords of all affected profiles. It also enrolled all targeted accounts in a mandatory security checkpoint and required all users to re-authenticate.
“Before relaunching the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password resets are initiated,” Meta emphasized. “Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta platforms to identify and resolve any potential issues.”
Muhammad Yahya Patel, vCISO and Cybersecurity Advisor at Huntress, said:
“This is a new category of risk that the industry needs to start taking seriously. As AI is integrated into operational workflows, customer support, identity verification and access management, the attack surface shifts from technical to logical vulnerabilities.
Any organization deploying AI in support, identity, or access workflows needs to ask themselves one question before go-live: what happens if an attacker treats this tool as an attack surface? AI systems that can trigger privileged actions such as password resets, account access, data recovery require the same rigorous access controls and verification logic as any other privileged system. The fact that it is powered by AI does not reduce the risk. Right now, for many organizations, this is increasing.
The bigger issue is what this means regarding the process of reviewing the security of AI-based tools before they go into production. »
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
