The fastest route into thousands of Instagram accounts was not a stolen password. It was the recovery system designed to restore accounts.
Meta has disclosed a flaw in its AI-assisted High Touch Support tool that attackers reportedly used to reset passwords for more than 20,000 Instagram accounts. The issue allowed recovery links to be sent to attacker-controlled email addresses, according to reporting from BleepingComputer.
The incident raises an uncomfortable security question for major platforms: What happens when the systems designed to help locked-out users become the shortcut around normal login defenses?
The exploit behind the numbers
Attackers exploited a bug in Meta’s High Touch Support (HTS) tool.
In a disclosure filed with the Office of the Attorney General of Maine, Meta reported that just 30 accounts were affected in that jurisdiction. However, BleepingComputer has reported that 20,225 were affected. The outlet also noted that the exploit occurred on April 17 and wasn’t detected until May 31.
Because the tool did not properly verify that the email address belonged to the account owner, attackers could enter their own addresses. Meta’s tool then sent valid recovery links to those addresses, letting attackers reset passwords for targeted accounts.
While the attack chain enabled a successful password reset, Meta’s disclosure suggests that successful account takeovers were primarily linked to accounts without two-factor authentication (2FA).
The company has not publicly explained whether the flaw could also have affected some accounts protected by 2FA, despite an earlier BleepingComputer report in which several users said they lost access to accounts with 2FA enabled. That distinction is important because changing a password and gaining full access to an account are not necessarily the same thing.
This is because 2FA should still block login attempts even after a password has been reset.
BleepingComputer also noted that the attackers bypassed Meta’s face-verification checks by using an animated image of their target. At the same time, another report claims that a VPN was used to make it appear the attacker was from the same geographic location as their target.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Meta’s actions following the incident
While Meta says it has no information about which victims’ personal data may have been stolen, the company says that virtually all information stored within a user’s account could have been accessed.
It has also turned off its HTS tool until the flaw is fixed, and through its Vice President of Communications, Andy Stone, noted that affected accounts are being secured. Affected users have been enrolled in a mandatory security checkpoint and urged to change their passwords to regain access to their accounts.
The incident is a reminder that account recovery is now part of the attack surface. Even when passwords and 2FA are in place, recovery workflows can become the weak door at the back of the house.
Also read: WhatsApp says NSO Group targeted users after a court order, extending Meta’s long-running fight over spyware and account security.