Instagram: 20,000 accounts stolen due to a bug in Meta AI support

A serious security incident has recently hit Instagram, leading to the compromise of 20,225 profiles. The cause lies in a vulnerability of the AI-based assistance system from Meta, known as High Touch Support.

This tool, originally designed to help people regain access to their blocked accounts, was exploited by malicious actors to bypass normal verification procedures and take control of accounts without two-factor authentication.

Over 20,000 Instagram profiles stolen by exploiting Meta AI support

According to documents filed with the Office of the Maine Attorney General, the problem did not stem from the decision-making capabilities of artificial intelligence, but from a simple defect in a separate portion of code.

Amber Hannah, Associate General Counsel for Incident Response at Meta, explained that the system failed to verify whether the email address provided during the recovery request actually matched the one registered to the targeted Instagram account.

This flaw allowed attackers to supply an arbitrary email address and still receive a valid password reset link. Once the login key was replaced, the cybercriminals gained full control of the page, leaving legitimate owners locked out.

Impact on personal data and countermeasures

Early signs of this massive operation date back to April 17, 2026, but the company officially identified the vulnerability only on May 31.

Although Meta stated that it does not know exactly which specific information was exfiltrated, the risks to user privacy are extremely high. Those who breached the systems potentially had unrestricted access to direct messages, private photos, videos, stories, dates of birth, phone numbers and the entire interaction history.

To curb the emergency, the company immediately disabled the High Touch Support tool, invalidating all recovery links generated previously in order to neutralize the ongoing malicious campaign.

At the same time, the involved profiles were placed under a mandatory security block, requiring a new authentication and the creation of fresh credentials to restore access. Andy Stone, Meta’s Vice President of Communications, took to social media to reassure the public, confirming that the technical issue has been isolated and resolved.

Costly precedents for security

Before restoring automated support services, the company committed to rigorously implementing authentication controls and completing a thorough review of all existing recovery procedures across its applications.

Despite the speed of the intervention, this incident adds to a long list of issues that have weighed on the tech giant’s finances.

In the past, Irish authorities fined Meta 264 million dollars for a violation dating back to 2018, which compromised names and physical locations of over 29 million Facebook accounts.

In November 2022, sanctions continued with a fine of 265 million euros for not adequately protecting databases from serial information harvesters, followed by a further sentence of 91 million euros for storing the passwords of hundreds of millions of users in plain text, omitting the use of any cryptographic protection.