Massive Data Breach: Over 20,000 Instagram Accounts Compromised in Meta AI Support Hack

Meta Reveals Security Breach Impacting Over 20,000 Instagram Users

Meta recently disclosed that more than 20,000 Instagram accounts were compromised in a security incident where hackers exploited Meta’s AI-powered support system to reset passwords.

According to reports, cybercriminals took advantage of a vulnerability in Meta’s High Touch Support (HTS) tool, an AI-driven system designed to assist users in regaining access to their locked Instagram accounts.

By circumventing the verification process for email addresses linked to the targeted accounts, the attackers were able to obtain password reset links, allowing them to gain unauthorized access without the need for two-factor authentication (2FA).

Following a surge of reports on social media platforms about the attacks, Andy Stone, Meta’s vice president of communications, assured affected users that the issue had been resolved and that steps were being taken to secure impacted accounts.

Meta acknowledged the breach in a data breach notification letter submitted to Maine’s Office of the Attorney General, stating that 30 users in the jurisdiction had their Instagram accounts potentially compromised.

The company admitted that a flaw in the HTS system was exploited by unauthorized parties on May 31, 2026, allowing them to carry out password resets on affected accounts.

While Meta did not specify the exact nature of the information accessed by the attackers, they indicated that compromised accounts could have exposed contact details, dates of birth, social media posts, direct messages, account activity, profile information, and other connected accounts.

Upon discovery of the incident, Meta disabled the HTS system and invalidated all password reset links generated to prevent further unauthorized access attempts. Affected users were required to undergo a mandatory security checkpoint and reset their passwords to regain control of their compromised accounts.

Meta assured users that enhanced security measures would be implemented, including stricter authentication checks during the account recovery process to prevent similar incidents in the future.

Prior to this breach, Meta had faced significant fines for previous data security lapses, including a $264 million penalty in Ireland for a 2018 breach and fines totaling €356 million ($375.5 million) in 2022 for data protection violations.

Security teams detect only 14% of successful attacks, leaving the rest undetected. Discover how breach and attack simulation can strengthen your security posture.

Download the Picus whitepaper to learn more.