Meta's AI Support System Compromised in Account Hijacking Attack
Meta disclosed that attackers exploited a flaw in its AI-powered Instagram account recovery tool to hijack over 20,000 accounts. The breach occurred starting April 17, 2026, and Meta discovered the vulnerability on May 31.
The attackers used Meta's High Touch Support system-an AI for Customer Support tool designed to help locked-out users regain access-to reset passwords without proper verification. The system failed to confirm whether email addresses belonged to the targeted Instagram accounts before issuing password reset links.
Accounts without two-factor authentication enabled were particularly vulnerable. Once attackers obtained the reset links, they could log in and take control of accounts.
What Attackers Could Access
Meta said it has no evidence that personal data was stolen, but acknowledged attackers could have accessed:
- Contact information (email addresses and phone numbers)
- Dates of birth
- Photos, videos, and stories
- Direct messages
- Account activity history
- Profile information
- Connected accounts and linked services
Meta's Response
Meta disabled the High Touch Support system and invalidated all password reset links it had generated. The company enrolled affected accounts in a mandatory security checkpoint and required users to reset passwords and re-authenticate.
Before relaunching the tool, Meta said it will fix the authentication check to verify email addresses against existing account information. The company is also reviewing similar account recovery systems across its other platforms.
Andy Stone, Meta's vice president of communications, said the "issue has been resolved, and we are securing impacted accounts."
Broader Context
This breach reflects a pattern of security lapses at Meta. In 2018, the company exposed names, email addresses, phone numbers, and locations of 29 million Facebook users. Meta was fined €265 million in 2022 for failing to protect users from scrapers and another €91 million for storing hundreds of millions of passwords in plaintext.
For customer support teams, this incident underscores a critical issue: AI Agents & Automation systems require rigorous authentication checks before executing sensitive operations like password resets. A single missing verification step can compromise thousands of accounts.
Your membership also unlocks:
