Meta confirmed a security incident involving Instagram’s account recovery system, saying a vulnerability in its AI-assisted support tool was exploited to gain access to user accounts.
In a notice sent to the Attorney General of Maine, Meta wrote, “We are writing to inform you that a vulnerability in an Instagram account recovery support tool was used to potentially compromise the Instagram accounts of 30 users in your jurisdiction. All accounts have been secured to prevent any continued unauthorised access.”
How Did This Happen?
The company said it discovered the issue at the end of May. It said the problem was thanks to an AI-assisted support system called High Touch Support, used when users request help regaining access to locked Instagram accounts. Meta wrote, “HTS is an AI-assisted support tool designed to help users who are locked out of their Instagram accounts regain access.”
The notice said the tool itself worked as designed, but a bug in a separate code path meant email checks were not done correctly during password reset requests. Meta explained, “the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.”
As a result, attackers were able to trigger password reset links that went to email addresses not linked to the account owner. Meta said this allowed “unauthorised third parties to receive a password reset link for accounts they did not own.”
How Did Attackers Gain Access?
The access issue came down to how the recovery system handled identity checks during password resets.
Meta said the system failed to reject requests when a mismatched email address was entered. Instead, it still sent a reset link. Once that link was used, access was possible in cases where two-factor authentication was not active.
Meta wrote, “Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA).”
The company said up to 30 users in Maine were affected, though it noted this is an upper limit. It added that some accounts may have been accessed by legitimate owners rather than attackers.
More from Cybersecurity
- FIFA World Cup 2026: Why Have Big Sporting Events Become A Target For Cyber Criminals?
- The AI That Embarrassed Microsoft’s Security Team Is About To Be Available To Everyone
- How AI Agent Adoption Is Creating A New Cybersecurity Challenge
- 74% Of UK Businesses Have Had At Least 3 Identity Breaches This Past Year – Why Aren’t More Of Them Protected?
- Cycode Wants To Secure The Agentic Era – And It’s Just Launched The Product To Prove It
- Lyrie.ai Deploys Real-Time Zero-Day Tracking Across Global Enterprise Infrastructure
- Part 1: Is This The End Of World Password Day? Experts Weigh In
- Experts Comment: Has The AI Race Made The World Less Safe?
The notice also confirmed that personal data inside affected accounts could have been exposed. This included contact details, birth dates, posts, direct messages, profile information, and account activity history. Meta wrote, “We are unaware of what, if any, personal information was accessed.”
What Has Meta Done Since The Discovery?
Meta said it acted the same day it identified the exploitation of the tool.
The company disabled the AI-assisted recovery feature that was a part of the issue. It wrote, “Disabled the AI-assisted support tool removing the vulnerable code path from production.”
It also invalidated all password reset links created through the faulty process. Meta said this made any unused reset links useless to attackers.
To secure accounts, Meta enrolled potentially affected users into a mandatory security checkpoint before access. It also told users to reset passwords and verify logins through secure channels.
Meta added that it plans changes before reintroducing the tool. It said it will fix the authentication check so email addresses are properly matched to account records before any reset is allowed. It also said it is reviewing similar systems across its platforms.
What Does This Mean For Wider Security Thinking?
Security leaders say incidents like this show how identity checks are still very important for cyber defence strategies.
David Nuti, Head of Security Strategy at Extreme Networks, said organisations need stronger verification systems across all access points. He said, “As the attack surface expands, the only way forward is for organisations to shift from a reactive to a proactive network security posture, built on the principle of ‘never trust, always verify’.”
He added, “Assume the stance of a constant state of breach regarding identity. Do not wait for the breach to occur. By then it is already too late.”
