309/69 Tuesday, June 9, 2026
Meta disclosed that 20,225 Instagram accounts were taken over after attackers exploited a vulnerability in its AI-assisted account recovery system, known as High Touch Support (HTS), to request password reset links. The system was designed to help users recover access to their Instagram accounts when they are unable to log in.
The issue occurred because the HTS system did not properly verify whether the email address used to receive the password reset link matched the email address registered to the Instagram account. As a result, attackers were able to specify an email address under their control to receive password reset links for other users’ accounts. If the targeted account did not have two-factor authentication (2FA) enabled, the attacker could reset the password and gain access to the account. Meta stated that the vulnerability was discovered in the system on May 31, 2026.
After detecting the incident, Meta disabled the HTS system and all password reset links generated by the system to prevent further exploitation. The company also required potentially affected accounts to go through a security checkup process and instructed affected users to reset their passwords and verify their identities again. Meta stated that it will improve email verification in the Instagram account recovery process and review similar account recovery processes across other Meta platforms.