IRCNF
Security

Meta's AI account recovery tool handed 20,000 Instagram accounts to hackers

BleepingComputer
Share:
Meta's AI account recovery tool handed 20,000 Instagram accounts to hackers

What Happened

Meta has confirmed that roughly 20,225 Instagram accounts were compromised between April 17 and May 31, 2026, when attackers exploited a critical vulnerability in its AI-powered account recovery system. The affected tool, called High Touch Support (HTS), is designed to help users who have lost access to their accounts — but a logic flaw turned it into an account takeover vector.

The vulnerability was discovered internally on May 31. Meta has since disabled HTS, invalidated all password reset links generated through the exploited flow, and enrolled affected accounts in a mandatory security checkpoint requiring a password reset.

How the Attack Worked

HTS is an AI-assisted system that walks users through account recovery, including verifying identity via an email address. The flaw: the tool failed to confirm that the email provided for a password reset actually belonged to the target account. Attackers supplied their own email addresses instead, and the tool processed the reset anyway.

Researchers and responders observing the attacks noted that some of the more sophisticated exploitation attempts used prompt injection — crafting inputs that manipulated the AI support tool's behavior to bypass safeguards designed to catch anomalous recovery requests. This is one of the first confirmed cases of prompt injection being used at scale against a major platform's production AI system.

Accounts without two-factor authentication enabled were the most vulnerable: once an attacker had linked their email and reset the password, they had full control. High-value accounts that had 2FA enabled required additional steps, though some were still compromised through social engineering around the recovery flow.

Who Was Affected

The breach disproportionately hit high-follower accounts. Among the confirmed compromised accounts were those tied to the Obama White House archive, beauty brand Sephora, and US Space Force Chief Master Sergeant John Bentivegna. Several stolen high-value Instagram handles subsequently appeared for sale on dark web marketplaces, with estimated resale values on some exceeding $1 million.

The total of 20,225 accounts represents a fraction of Instagram's 2+ billion active users, but the targeting of high-profile handles suggests the attackers had a systematic method for identifying and prioritizing valuable targets before executing the HTS exploit.

Meta's Response

Meta has taken the following steps as of the date of disclosure:

  • HTS disabled — the tool will not be re-enabled until a fix that enforces proper email verification ownership is in place
  • All reset links invalidated — any password reset link generated through the compromised flow has been revoked
  • Mandatory security checkpoints — affected accounts must reset passwords and review recovery options before regaining normal access
  • User notifications — Meta is in the process of notifying all affected account holders
  • Cross-platform audit — a review of similar AI-assisted account recovery flows across Facebook, Threads, and WhatsApp is underway to identify analogous vulnerabilities

Meta has reported the incident to relevant regulatory authorities. Given GDPR and applicable data protection rules in the EU and UK, formal notifications to supervisory authorities are expected to follow.

The Bigger Problem: AI Tools as Attack Surfaces

This incident highlights a risk that security researchers have flagged for years but that is now materializing in production: AI systems deployed for user-facing support are difficult to harden against adversarial inputs. Traditional software has deterministic logic that can be tested exhaustively. An AI support tool that processes free-text inputs, makes judgment calls about identity verification, and handles edge cases via model inference has a fundamentally different attack surface.

Prompt injection — feeding crafted text inputs to manipulate an AI's behavior — has previously been demonstrated in research settings and in lower-stakes integrations. The HTS incident establishes it as a real-world threat against authentication-critical systems at scale.

For security teams evaluating AI-assisted support, identity verification, or access control flows: never rely solely on AI judgment for account recovery decisions. Deterministic verification steps (verified email ownership, 2FA codes, government ID checks) should be mandatory gates that the AI cannot bypass or route around, regardless of what the model infers from user input.

What Affected Users Should Do

  • If you received a notification from Meta, follow its instructions to reset your password and review connected apps
  • Enable two-factor authentication immediately if you haven't — use an authenticator app, not SMS
  • Review your account's active sessions and revoke any unrecognized devices
  • Check whether your account's linked email and phone number are still yours
  • If you believe your account was sold or transferred without consent, file a report directly with Meta's Help Center and, if warranted, your local data protection authority
Metasecurity-breachinstagramprompt injectionai-securityaccount-takeover

Originally reported by BleepingComputer. Read the original article for additional details.

View original source
Share: