Meta AI Support Flaw Leads to Hijacking of Over 20,000 Instagram Accounts
What Happened — Attackers exploited a design flaw in Meta’s AI‑powered “High Touch Support” (HTS) password‑reset tool, allowing them to obtain reset links without verifying the target email address. The abuse resulted in the hijacking of more than 20,000 Instagram accounts, exposing personal data such as contact details, birth dates, posts, direct messages, and linked services.
Why It Matters for TPRM —
- A compromised social‑media vendor can be leveraged to harvest credentials for downstream services and third‑party integrations.
- The incident demonstrates the risk of AI‑driven support automation lacking proper identity verification.
- Exposure of personal data may trigger regulatory notifications and affect contractual obligations with vendors that rely on Instagram for marketing or authentication.
Who Is Affected — Social‑media platforms, digital marketing agencies, brands that use Instagram for customer engagement, and any third‑party services that integrate with Instagram APIs.
Recommended Actions —
- Review contracts with Meta/Instagram for security clauses related to account recovery processes.
- Verify that any internal tools that ingest Instagram data enforce MFA and robust credential handling.
- Monitor for suspicious activity on accounts linked to your organization and consider mandatory password resets for affected users.
Technical Notes — The HTS flaw bypassed email‑address validation, allowing password‑reset links to be generated for arbitrary accounts. No two‑factor authentication was required for the reset flow. Meta disabled the HTS feature and revoked all generated reset links, then forced a security checkpoint for affected accounts. Source: BleepingComputer