- Meta Confirms 20,225 Instagram Accounts Affected by HTS Password Reset Errors
- Bug lets attackers request resets for unrelated emails
- HTS disabled, passwords reset, full recovery flow walkthrough in progress
Last week’s attack against Meta’s customer support affected more than 20,000 accounts, the company has now confirmed. Hackers managed to break into these profiles and most likely exfiltrate the data found inside.
Last week, news broke that cybercriminals exploited a vulnerability in Meta’s AI-powered customer support service and tricked it into sending password reset codes to other people’s accounts.
Now, the Facebook and Instagram owner filed a new report with the Office of the Maine Attorney General, stating that 20,225 people were affected. In a letter Meta sent to Maine AG, it said the company discovered a bug in High Touch Support (an AI-assisted account recovery system for Instagram) on May 31, 2026.
Remedy of intrusion
“The tool itself was working correctly and working as intended; however, due to an error in a separate code path, the system did not correctly verify that the email address provided by the person requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when a person provided an email address that was not previously associated with the account, the system incorrectly sent a password reset link to the unaffiliated request,” Meta explained the request again.
The company says there is no evidence of data exfiltration, but leaves it as a possibility as the crooks could easily access it. It includes contact information (email address and/or phone number), date of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile picture), and associated accounts and associated services.
To resolve the issue, Meta disabled the HTS system and reset the passwords for all affected profiles. It also enrolled all targeted accounts in a mandatory security checkpoint and asked all users to re-authenticate.
“Before restarting the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated,” Meta stressed. “Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and address any potential issues.”
Muhammad Yahya Patel, vCISO & Cybersecurity Advisor at Huntress, said:
“This is a new category of risk that the industry needs to start taking seriously. As AI is embedded in operational workflows, customer support, identity verification and access management. The attack surface is shifting from technical vulnerabilities to logical ones.
Any organization implementing AI in support, identity or access workflows needs to ask one question before going live: What happens if an attacker treats this tool as the attack surface? AI systems that can trigger privileged actions such as password resets, account access, data retrieval, this needs the same strict access control and verification logic as any other privileged system. The fact that it’s AI-powered doesn’t make it any lower risk. Right now, for many organizations, it makes it higher.
The more significant issue is what this signals about the security review process for AI-powered tools before they go into production.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
