Meta has confirmed that 20,225 Instagram accounts were potentially compromised after attackers abused its AI-powered High Touch Support system to generate password reset links for accounts they did not own, according to a breach notification the company filed with Maine's Office of the Attorney General and disclosed on June 8, 2026. If your Instagram account lacks two-factor authentication, this campaign showed that a stranger could have seized it simply by asking a chatbot, which is why security teams are urging every user to check their settings this week.
The tool at the center of the incident, High Touch Support (HTS), is an AI-assisted recovery system Meta launched in March 2026 to help people regain access to locked Instagram accounts. Instead, from April 17, 2026 until Meta pulled the tool in early June, it functioned as a self-service hijacking machine for anyone who knew the trick.
One Broken Code Path Sent Instagram Reset Links to Emails Attackers Controlled
Meta's disclosure explains that users could ask HTS to send a password reset link to their email address, and the chatbot itself worked as designed. The failure sat in a separate code path: the system did not verify that the email address supplied with the request actually matched the email on file for the targeted Instagram account.
"When an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request," wrote Amber Hannah, Meta's associate general counsel for incident response legal, in the notification letter. "Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled 2FA."
The mechanics required no malware and no phishing. An attacker asked the support bot to send a reset link to an inbox the attacker controlled, clicked that link, set a new password, and walked in the front door of someone else's account. Videos shared on Telegram showed criminals using VPN services to appear in the same general geographic region as a target before making the request, per Help Net Security.
The timeline makes the exposure window clear. Maine's filing lists April 17, 2026 as the incident date, while Meta says it discovered the vulnerability on May 31, 2026, meaning the flaw was exploitable for more than six weeks before anyone inside the company noticed.
Obama White House, Sephora, and a Space Force Chief Reportedly Among the Victims
The campaign reached far beyond ordinary users. Reporting by security journalist Brian Krebs, cited by Help Net Security, found that attackers targeted high-profile accounts including the Obama White House account and the account of US Space Force Chief Master Sergeant John Bentivegna. SecurityWeek reported that the Sephora account was also compromised and that many hijacked accounts were sold on dark web marketplaces.
Criminals also hunted short, high-value usernames that resell on underground forums for real money, and some openly shared videos and step-by-step instructions showing how the attack worked. After complaints flooded Reddit, X, and Telegram in late May 2026, Andy Stone, Meta's vice president of communications, replied to one affected user that the "issue has been resolved, and we are securing impacted accounts," according to BleepingComputer.
Meta says it has no evidence of what information, if any, was actually taken from the 20,225 affected accounts. It acknowledged, however, that the attackers could have seen everything a logged-in user sees: email addresses and phone numbers, dates of birth, photos, videos and stories, direct messages, account activity and interaction history, profile details, and linked services.
How Do You Know if Your Instagram Account Was Affected?
Meta has already enrolled every potentially affected account in a mandatory security checkpoint, reset those passwords, and required re-authentication, so users who were hijacked should hit that wall the next time they log in. The company also told Maine regulators that "as soon as practical" it will send notifications recommending that impacted users review their security settings and enable 2FA, and Hannah confirmed that 30 of the affected users live in Maine alone.
Hannah also cautioned that the real victim count could be lower than 20,225. Meta counted every account whose password was reset through the tool, that lacked 2FA, and that was likely accessed afterward, and some of those logins may have come from legitimate owners rather than criminals.
Telltale warning signs include a password reset email you never requested between April 17 and early June 2026, an unfamiliar email address or phone number attached to your account, posts or messages you did not send, and login alerts from devices or cities you do not recognize.
What Instagram Users Should Do Right Now: Turn On 2FA and Audit Login Activity
The most important fact in Meta's entire disclosure is that two-factor authentication stopped this attack cold. Even after a successful password reset, accounts with 2FA enabled on June 8, 2026 could not be entered by the attackers.
Five steps every Instagram user should take today. First, enable 2FA through Settings, then Accounts Center, then Password and security; an authentication app is the strongest everyday option, but even SMS codes would have blocked this exploit. Second, open "Where you're logged in" and log out any device or location you do not recognize. Third, confirm the email address and phone number on your account and delete anything you did not add. Fourth, change your password if you received an unexpected reset email this spring. Fifth, treat unsolicited "Meta security" emails carefully, because phishing crews routinely impersonate real breach notifications within days of disclosure.
Meta Faces Liability Questions After a String of Nine-Figure Privacy Fines
Before relaunching the tool, Meta says it will fix the authentication check so the recovery flow verifies email addresses against existing account information before any reset is initiated, and it is conducting a review of similar recovery flows across all of its platforms. That promise will be scrutinized, because the company's data-protection record is already expensive: Ireland's privacy regulator fined Meta $264 million over a 2018 Facebook breach affecting 29 million accounts, after a 265 million euro penalty in November 2022 for failing to protect users from data scraping and a 91 million euro fine for storing passwords in plaintext.
The larger lesson reaches past Meta's Menlo Park headquarters. When the company launched its AI support assistant in March 2026, it said it was "rigorously testing each of these AI systems, building in safeguards and evaluating their performance." Within roughly six weeks, the automation built to rescue locked-out users had become the fastest way to lock them out. As businesses wire AI agents into customer-facing workflows that touch authentication, the HTS breach is set to become the textbook case for why those flows need the same adversarial testing as a login page.
Frequently Asked Questions
What is Meta High Touch Support and how was it hacked?
High Touch Support (HTS) is an AI-assisted account recovery system Meta launched in March 2026 to help Instagram users who were locked out of their accounts. A bug in a separate code path meant the system never checked whether the email address given for a password reset actually belonged to the targeted account. Attackers exploited that gap from April 17, 2026 until Meta disabled the tool, taking over accounts that lacked two-factor authentication.
How do I turn on two-factor authentication on Instagram?
Open Instagram, go to Settings, tap Accounts Center, then Password and security, and choose Two-factor authentication. You can pick an authentication app, SMS codes, or both, and an authentication app is generally the stronger choice. Meta confirmed that accounts with any form of 2FA enabled could not be hijacked in this campaign.
Will Meta notify me if my Instagram account was part of the breach?
Yes. Meta told Maine's Attorney General it intends to send notifications to all 20,225 potentially impacted users "as soon as practical." Affected accounts have already been placed in a mandatory security checkpoint with forced password resets, so hijacked users will be required to re-authenticate before regaining access.
What information could hackers see in a hijacked Instagram account?
Meta says attackers could have accessed contact details such as email addresses and phone numbers, dates of birth, photos, videos, stories, direct messages, account activity, profile information, and linked services. The company has found no evidence confirming what was actually taken. Anyone affected should assume private messages and contact details may have been viewed.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
