HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Meta AI Support Flaw Leads to Hijacking of Over 20,000 Instagram Accounts

Attackers abused a vulnerability in Meta's AI‑driven High Touch Support tool to reset passwords for more than 20,000 Instagram users, exposing personal data and bypassing two‑factor authentication. The breach highlights the need for rigorous verification in automated support flows and prompts third‑party risk managers to reassess reliance on Instagram‑linked services.

LiveThreat™ Intelligence · 📅 June 08, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Meta AI Support Flaw Leads to Hijacking of Over 20,000 Instagram Accounts

What Happened — Attackers exploited a design flaw in Meta’s AI‑powered “High Touch Support” (HTS) password‑reset tool, allowing them to obtain reset links without verifying the target email address. The abuse resulted in the hijacking of more than 20,000 Instagram accounts, exposing personal data such as contact details, birth dates, posts, direct messages, and linked services.

Why It Matters for TPRM

  • A compromised social‑media vendor can be leveraged to harvest credentials for downstream services and third‑party integrations.
  • The incident demonstrates the risk of AI‑driven support automation lacking proper identity verification.
  • Exposure of personal data may trigger regulatory notifications and affect contractual obligations with vendors that rely on Instagram for marketing or authentication.

Who Is Affected — Social‑media platforms, digital marketing agencies, brands that use Instagram for customer engagement, and any third‑party services that integrate with Instagram APIs.

Recommended Actions

  • Review contracts with Meta/Instagram for security clauses related to account recovery processes.
  • Verify that any internal tools that ingest Instagram data enforce MFA and robust credential handling.
  • Monitor for suspicious activity on accounts linked to your organization and consider mandatory password resets for affected users.

Technical Notes — The HTS flaw bypassed email‑address validation, allowing password‑reset links to be generated for arbitrary accounts. No two‑factor authentication was required for the reset flow. Meta disabled the HTS feature and revoked all generated reset links, then forced a security checkpoint for affected accounts. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →