What the Meta AI Instagram Account Hijacking Incident Is
The Meta AI Instagram account hijacking incident is a large-scale security breach where attackers abused Meta’s AI-assisted support tools to reset passwords and seize control of at least 20,225 Instagram accounts by manipulating email and recovery flows that were not properly verified. This Meta AI security breach centers on a tool called High Touch Support (HTS), designed to help users who lose access to their accounts. Meta told regulators that a bug in a separate code path allowed password reset links to be sent to email addresses that did not match the email stored on the Instagram account. Once attackers received those links, any profile without Instagram two-factor authentication was easy to take over. Stolen accounts included high-profile and vanity usernames, which are valuable targets for scams and resale.
How Hackers Used Meta AI to Bypass Account Protections
Meta explained in a government notice that, “Hackers used Meta AI to hack into 20,225 Instagram accounts” by abusing its HTS support tool. HTS was meant to send a password reset link to the rightful owner’s email. However, due to a bug in another code path, the system failed to confirm that the email entered during the support request matched the email on the Instagram account. Attackers could therefore request a reset link to their own email, without triggering Instagram’s usual automated protections. Reports from researchers and affected users show a second, related account hijacking vulnerability: text prompts sent to Meta AI support flows were able to change the account’s associated email address, even when Instagram two-factor authentication was enabled. Together, these flaws meant hackers could bypass both standard login checks and many 2FA setups to claim full control of accounts.
Meta’s Patch: UI Quick Fix, Backend Risk
After high-profile accounts were taken over and users complained that their Instagram account was hacked, Meta said the issue had been resolved and that it was securing affected profiles. But security researchers and victims argue the first response focused on appearance, not substance. According to Android Authority’s reporting, users in a Telegram channel claimed Meta’s “fix” was removing the “Get Support” button from the Meta AI interface while leaving the underlying API endpoints exposed. That means skilled attackers could still send crafted requests via Telegram bots or custom scripts, even though regular users could no longer see the button in the app. This gap between frontend and backend protections highlights an account hijacking vulnerability rooted in improper authentication checks inside the AI-driven support logic, rather than a mere interface flaw.
What Data Was Exposed and Why This Matters
Meta’s notice said compromised accounts may have exposed contact details, direct messages and communications, and linked services such as connected email or other accounts. High-value and unique usernames were prime targets: well-known brands, public figures, and rare short handles were hijacked for their reach or resale value. Public incidents included the inactive White House Instagram from the Obama administration, a major beauty retailer, and a senior space official. Meanwhile, Android Authority noted that Instagram’s Trust and Safety division was reportedly reduced by 60% after large layoffs and AI-focused reassignments, raising concerns that fewer people are available to catch flaws in automated systems. These patterns suggest a broader security problem: as Meta pushes AI support tools deeper into account recovery, gaps in verification logic can turn helpful automation into an attack path for criminals.
How to Protect Your Instagram Account Right Now
Although this Meta AI security breach abused Meta’s backend systems, there are steps you can take to reduce the impact if your Instagram account is hacked. First, enable Instagram two-factor authentication using a code generator app rather than SMS, and store backup codes somewhere offline. Second, regularly review login activity and devices in your Instagram security settings; immediately log out any device you do not recognize and change your password to a unique, long passphrase. Third, audit connected apps and linked services, removing anything you no longer use. Be skeptical of any "support" message that pushes you to click a password-reset link outside the official app or website. Finally, consider using a password manager so a compromise of one service does not cascade into others. These steps cannot fix Meta’s bug, but they limit damage and speed your recovery.
