What Happened: A Password Reset Exploit Inside Meta’s AI Support
The Instagram AI account recovery incident is a security breach where a flawed Meta support chatbot let attackers redirect password reset emails to their own inboxes, enabling full account takeover for more than 20,000 users who lacked two-factor authentication and exposing private messages and profile data. Meta’s AI-assisted tool, called High Touch Support (HTS), is meant to help people who are locked out of their Instagram account regain access. Under normal conditions, the chatbot should send a password reset link only to the email already tied to the account. Instead, a bug in a separate code path meant the system did not check if the email entered during recovery matched the one on file, creating a dangerous password reset exploit that attackers quickly spread through Telegram and social media.
How Hackers Took Over 20,225 Instagram Accounts
Hackers used the Meta AI security flaw to get password reset links sent to email addresses they controlled. By starting the AI-assisted recovery flow from an IP address in the same region as the victim and asking HTS to send a reset link to a new email, attackers received a valid link without triggering Instagram’s normal protections. Meta says that “due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.” Once the attacker clicked the link and set a new password, they could log in if the victim did not have two-factor authentication enabled. In total, 20,225 accounts were affected, including high-profile, inactive or official accounts that drew quick public attention.
What Meta Fixed and What Data May Have Been Exposed
Meta discovered the issue at the end of May and disabled the AI-assisted support tool the same day to remove the vulnerable code path from production. The company also invalidated all password reset links generated through the faulty process and worked to secure impacted accounts and restore access to legitimate owners. According to a data breach filing, hackers may have viewed personal information stored in compromised profiles, including contact details such as email addresses and phone numbers, dates of birth, posts, direct messages, and connected or linked accounts. Meta has said it will fix the bug before relaunching the AI tool, and its notice to regulators confirms that all affected accounts have been locked down to prevent ongoing access. Still, anyone whose Instagram account was taken over during this window should assume personal data might have been exposed.
How to Tell If Your Instagram Account Was Hacked
If your Instagram account was hacked through this password reset exploit, you might notice unexpected logouts, password-change emails you did not request, or missing access to your original login email. Check your account for unfamiliar posts, stories, or messages, and review your login activity for unknown devices and locations. Look for security notifications about password resets around or after mid-April, especially if you used the AI chatbot for support. If you cannot sign in, use Instagram’s official account recovery process from the app or website and avoid links sent via third-party chats like Telegram. Once back in, verify your email and phone number under account settings, remove any unknown connected services, and review recent direct messages for suspicious activity. Even if your account seems normal, it is wise to change your password and enable extra security measures immediately.
Account Takeover Prevention: Steps to Protect Yourself Now
With AI-powered support tools now in the middle of account recovery, users need stronger habits for account takeover prevention. Start by turning on two-factor authentication (2FA) in Instagram’s security settings; the attack only worked cleanly on accounts without 2FA, because attackers could log in after resetting the password. Use a unique, long password for Instagram that you do not reuse elsewhere, and store it in a password manager. Regularly review your login activity and connected apps, removing anything you do not recognize. Be careful with any message or email about password resets—if you did not request it, treat it as a warning sign and change your password. Finally, when you need support, stick to official in-app or website flows instead of bots promoted on third-party platforms, and be skeptical of anyone offering “Instagram recovery” shortcuts.
