Meta turned Instagram’s account-recovery lane into the weak point, after a flaw in an AI-assisted support system let attackers obtain access to accounts without first clearing the identity checks users expect from a password reset process.
The confirmed exposure stands at 20,225 Instagram accounts, according to Meta’s breach notice filed in Maine and reported by The Verge.
The breach was not a conventional password theft case. Tech Radar reported that the failure sat inside Meta’s High Touch Support system, where an AI-powered recovery assistant could be manipulated into sending password reset links to email addresses that were not verified against the Instagram accounts being targeted.
Meta said the vulnerability was discovered on May 31, 2026. The company disabled the affected High Touch Support system, reset passwords for impacted accounts and required users to pass a security checkpoint.
The company also invalidated reset links generated through the exploit and removed the faulty code path. Reuters reported the incident became harder to treat as a routine platform bug because some accounts carried institutional or commercial weight.
Compromised accounts included the dormant Obama White House page, beauty retailer Sephora, and a senior US Space Force official.
Reuters framed the episode as a test of Meta’s push to automate sensitive user functions, and quoted Red Sift executive Brian Westnedge describing it as a “foundational architecture failure.”
For Meta, the fix may close this specific recovery path, but the broader test is whether every AI-assisted support workflow now gets reviewed like an access-control system rather than a chat product.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
