Meta has acknowledged a major security incident involving Instagram accounts after a vulnerability in its AI-powered account recovery system was allegedly exploited by hackers. According to the company, more than 20,000 Instagram accounts worldwide may have been affected by the breach, raising fresh concerns about online account security and the risks associated with automated recovery tools.

The issue reportedly originated from a flaw in Meta's High Touch Support (HTS) system, a specialized recovery mechanism designed to help users regain access to locked Instagram accounts. Security investigators found that attackers were able to misuse the system to obtain password reset links and gain unauthorized access to accounts, particularly those without Two-Factor Authentication (2FA) enabled.

How the Security Breach Happened

Meta stated that the vulnerability was discovered on May 31, 2026, during an internal security review. Subsequent investigations revealed that attackers had been exploiting the flaw for weeks before it was detected.

According to reports, the weakness existed within the AI-assisted account recovery workflow. The system allegedly failed to properly verify whether the email address submitted during the recovery process actually belonged to the Instagram account owner.

This loophole allowed attackers to convince the AI-powered support system that a different email address was legitimately associated with the target account. Once accepted, password reset links were sent to the attacker's email address, effectively giving them control over the account.

First Attacks May Have Started in April

Meta believes the earliest successful exploitation of the vulnerability occurred around April 17, 2026.

Over the following weeks, attackers reportedly continued using the technique to compromise thousands of Instagram profiles across multiple regions.

The company estimates that more than 20,000 Instagram accounts were impacted before the vulnerability was identified and addressed.

High-Profile Accounts Also Reportedly Affected

Several media reports suggest that the incident may have impacted a number of well-known and high-visibility accounts.

Accounts reportedly linked to major organizations and public institutions were among those targeted, highlighting the scale and seriousness of the security issue.

The incident demonstrates that even prominent social media profiles can become vulnerable when weaknesses emerge in account recovery systems.

What Information Could Have Been Exposed?

Meta says it cannot definitively determine what information attackers may have accessed after taking control of affected accounts.

However, potentially exposed data could include:

• Email addresses

• Phone numbers

• Dates of birth

• Profile information

• Photos and videos

• Instagram Stories

• Direct Messages (DMs)

• Account activity history

• Connected services and linked accounts

The actual impact may vary depending on individual account settings and how long attackers maintained access.

Meta Takes Emergency Action

Following discovery of the flaw, Meta moved quickly to limit further damage.

The company has reportedly:

• Temporarily disabled the affected HTS recovery system.

• Invalidated password reset links generated through the vulnerable process.

• Introduced additional security checks for affected users.

• Forced password resets where necessary.

• Begun reviewing related account recovery workflows.

Meta says the recovery system will remain unavailable until stronger verification mechanisms are implemented.

Why Two-Factor Authentication Matters

The incident has once again highlighted the importance of enabling Two-Factor Authentication (2FA).

Accounts protected by 2FA require an additional verification step beyond a password, making unauthorized access significantly more difficult even if login credentials are compromised.

Security experts recommend that all Instagram users:

• Enable Two-Factor Authentication immediately.

• Use a strong and unique password.

• Avoid reusing passwords across platforms.

• Review account recovery information regularly.

• Monitor login activity for suspicious access attempts.

Meta Reviewing Additional Systems

Beyond fixing the identified vulnerability, Meta says it is conducting broader reviews of its account recovery infrastructure.

The company plans to strengthen email verification procedures and evaluate other automated support tools to prevent similar incidents in the future.

As AI-driven customer support systems become more common, security experts note that robust verification processes are essential to prevent attackers from manipulating automated workflows.

Final Thoughts

The compromise of more than 20,000 Instagram accounts serves as a reminder that account recovery systems can become attractive targets for cybercriminals. While Meta has taken steps to contain the issue and secure affected accounts, users are encouraged to review their security settings and enable additional protections such as Two-Factor Authentication.

As social media platforms continue integrating AI into support and recovery services, balancing convenience with strong security controls will remain a critical challenge for technology companies worldwide.