Over 20,000 Instagram accounts stolen in Meta AI support hack

Meta revealed that over 20,000 Instagram customers’ accounts had been hijacked in a latest incident the place attackers used Meta’s AI-powered assist system to reset their passwords.

As BleepingComputer reported every week in the past, attackers exploited a flaw within the firm’s Excessive Contact Help (HTS) instrument. This instrument is an AI-assisted assist system that helps customers regain entry to their Instagram account after being locked out.

HTS exploited the truth that it didn’t confirm whether or not the e-mail tackle was related to the goal’s Instagram account to acquire a password reset hyperlink that allowed them to log in and take over the account with out enabling two-factor authentication (2FA).

As customers reported these assaults on social media platforms, Andy Stone, Meta’s vp of communications, responded to one of many affected customers, saying, “The difficulty has been resolved and we’re securing the affected accounts.”

BleepingComputer additionally contacted Meta final week for remark in regards to the safety breach, however has but to listen to again.

“We want to inform you {that a} vulnerability within the Instagram Account Restoration Help Device might have resulted within the Instagram accounts of 30 customers in your jurisdiction being compromised. All accounts are securely secured to stop continued unauthorized entry,” Mehta stated in a latest letter to the Maine Lawyer Basic’s Workplace relating to the info breach.

“On Could 31, 2026, Meta found a vulnerability existed in Instagram’s AI-assisted account restoration system (“Excessive Contact Help” or “HTS”). “This vulnerability was exploited by an unauthorized third occasion to carry out password resets on Instagram consumer accounts,” Meta defined.

Meta didn’t say within the leaked letter when the assault started, however paperwork posted on the Maine OAG web site say the breach occurred on April seventeenth, which is probably going the date of the primary assault exploiting the HTS flaw.

Moreover, the corporate stated it had no info on what private info was accessed or stolen from the compromised accounts, however famous that the attackers might have accessed affected Instagram customers’ contact info (e-mail addresses and telephone numbers), dates of start, social media posts and content material (images, movies, tales), direct messages and communications, account exercise and interplay historical past, profile info (bios, profile images), and different related accounts and linked companies.

After discovering this incident, the corporate disabled its HTS AI-powered assist system and all HTS-generated password reset hyperlinks to make sure that all future hijacking makes an attempt as a part of the identical malicious marketing campaign are blocked.

We additionally put all doubtlessly stolen accounts by means of necessary safety checkpoints and requested all affected customers to reset their passwords and re-authenticate once more to guard and regain management of their compromised accounts.

“Previous to relaunching the instrument, Meta will likely be modifying the authentication checks in Instagram’s restoration entry level to make sure that e-mail addresses are correctly validated towards current account info earlier than a password reset is initiated,” Meta added. “Moreover, Meta is conducting a complete evaluate of comparable account restoration flows throughout Meta’s platforms to establish and remediate potential points.”

Previous to this incident, Eire additionally fined Meta $264 million over a 2018 knowledge breach that uncovered the names, e-mail addresses, telephone numbers, and bodily places of greater than 29 million Fb accounts.

Meta was additionally fined 265 million euros ($275.5 million) in November 2022 for failing to guard Fb customers’ knowledge from scrapers, and a further 91 million euros ($100 million) for storing lots of of hundreds of thousands of customers’ passwords in clear textual content.