- Meta confirms 20,225 Instagram accounts affected by HTS password reset bug
- Bug allowed attackers to request resets from unassociated emails
- HTS disabled, password reset, full recovery flow review in progress
Last week's attack on Meta's customer service affected just over 20,000 accounts, the company has confirmed. The hackers managed to break into these profiles and most likely exfiltrate the data found inside.
Last week, news emerged that cybercriminals exploited a vulnerability in Meta's AI-based customer service, tricking it into sending password reset codes for other people's accounts.
Now, the owner of Facebook and Instagram filed a new report with the Maine Attorney General's Office, stating that 20,225 people were affected. In a letter Meta sent to Maine AG, it was said that the company discovered a flaw in High Touch Support (an AI-assisted account recovery system for Instagram) on May 31, 2026.
Mitigate intrusion
“The tool itself worked correctly and worked as intended; however, due to an error in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user's Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email instead of rejecting the request,” he explained. Goal.
The company says there is no evidence of a data breach, but leaves it as a possibility, given that criminals were able to access it easily. That includes contact information (email address and/or phone number), date of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (bio, profile photo), and connected accounts and linked services.
To fix the issue, Meta disabled the HTS system and reset the passwords for all affected profiles. It also enrolled all targeted accounts in a mandatory security checkpoint and asked all users to re-authenticate.
“Before relaunching the tool, Meta will fix authentication verification at the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before initiating any password resets,” Meta emphasized. “Additionally, Meta is conducting a thorough review of similar account recovery flows across all Meta platforms to identify and address any potential issues.”
Muhammad Yahya Patel, vCISO and Cybersecurity Advisor at Huntress, said:
“This is a new category of risk that the industry must begin to take seriously. As AI is integrated into operational workflows, customer service, identity verification, and access management, the attack surface shifts from technical to logical vulnerabilities.
Any organization implementing AI in support, identity, or access workflows must ask themselves one question before going live: what happens if an attacker treats this tool as an attack surface? AI systems that can trigger privileged actions, such as password resets, account access, and data recovery, need the same tight access controls and verification logic as any other privileged system. The fact that it works with artificial intelligence does not reduce the risk. Right now, for many organizations, it is increasing.
“The bigger question is what this says about the security review process for AI-powered tools before they go into production.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
