Meta fixes AI-assisted Instagram support flaw that hit 20,225 accounts

In short: Meta says it fixed a flaw in an AI-assisted Instagram account recovery tool that let attackers take over more than 20,000 accounts.

What happened

Meta disclosed a security bug in an Instagram support feature called High Touch Support, which used AI to help people regain access to accounts they were locked out of. The problem was in the password reset process.

In this flow, Instagram did not properly check that the email entered during recovery matched the email already on the account. That meant an attacker could type in their own email address, and the system could send the password reset link to the attacker instead of stopping the request. It is like a help desk mailing a new house key to whatever address the caller says, without confirming it is the address on file.

Meta said attackers could then reset the password and log in if the victim did not have two-factor authentication, or 2FA (a second step like a code sent to your phone). Meta reported that 20,225 accounts were compromised this way. The company said it does not yet know exactly what data was accessed, but it listed what could have been reached from a taken-over account, including direct messages, contact details, birth date, posted content, and linked accounts.

Meta says it found the issue on May 31, disabled the AI-assisted tool and the affected reset path, and invalidated reset links made through that workflow. It also forced password resets and added extra checks for impacted users.

Why it matters

This incident shows that account recovery tools can be a weak point, especially when they can change sensitive settings like an account email. For Instagram users, turning on 2FA and checking your linked email and phone number can help block this kind of takeover.

Source: NYTimes