Meta confirms: critical vulnerability in account recovery tool exposed over 20K Instagram users

Published: 8 June 2026
instagram_parents_kids
Child and parent silhouette, sitting together in front of Instagram logo. kovop/Shutterstock

Meta’s Instagram account recovery tool helped hackers to take control over more than 20,000 accounts, the tech company acknowledges.

Key takeaways:
  • More than 20,000 Instagram accounts were exposed.
  • Flaw in recovery tool enabled unauthorized password resets.
  • High-profile "OG" accounts were targeted.
  • Meta disabled the affected support system.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

In a data breach notice addressed to the Office of the Maine Attorney General, the Menlo Park-based company affirms that 20,225 Instagram users’ accounts were compromised due to a vulnerability in an Instagram account recovery support tool, also known as ‘High Touch Support’ or HTS.

ADVERTISEMENT

HTS is an AI-powered support tool to help Instagram users regain access to their accounts when they’re locked out. As part of the support process, users have to provide their email address to receive a password reset link.

This is the part where things went horribly wrong.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The support tool didn’t properly verify the email address that was provided by the person requesting a password reset. As a result, a password reset request was sent to people not associated with the account, rather than being rejected.

“This allowed unauthorized third parties to receive a password reset link for accounts they did not own. Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA),” Meta explains in the data breach notice.

Once a password reset had been performed, the unauthorized person potentially had access to the victim’s contact information, date of birth, social media posts and content, direct messages and communications, account activity and interaction history, profile information, and connected accounts and linked services.

Meta discovered the vulnerability on May 31st, 2026. Unauthorized third parties exploited it to perform password resets on Instagram accounts with “OG” handles, including US Space Force Chief Master Sgt. John F. Bentivegna and the Obama White House-era Instagram account.

Barack Obama smiling in a school.
Barack Obama. Pool via Getty Images.
ADVERTISEMENT

All accounts have been secured to prevent further unauthorized access by invalidating all existing password reset links that were generated, Meta says. In addition, the AI-assisted support tool was disabled. Lastly, impacted users were instructed to reset their passwords and re-authenticate through secure, verified channels.

Meta promises to fix the authentication check to make sure email addresses are properly verified against existing account information before the password reset procedure is initiated.

Furthermore, Meta will conduct a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked