### The Flaw in AI-Assisted Account Recovery The incident, which **Meta** discovered on May 31, 2026, and likely began as early as April 17, saw threat actors leverage a critical design flaw in **Instagram**'s **High Touch Support (HTS)** tool. This AI-assisted system is designed to help users regain access to locked accounts. However, a bug in a separate code path prevented **HTS** from properly verifying that an email address provided for a password reset request was actually associated with the target **Instagram** account. This oversight allowed unauthorized third parties to request password reset links for accounts they did not own, directing these links to their own email addresses. Upon receiving and using these links, attackers could log into and hijack accounts where two-factor authentication (2FA) was not enabled. **Amber Hannah**, **Meta**’s associate general counsel for incident response legal, detailed the vulnerability in a data breach notification filed with **Maine's Office of the Attorney General**. She explained, "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s **Instagram** account." ### Scope and Potential Data Exposure Initially, reports indicated a widespread issue, with **Meta** confirming 20,225 **Instagram** users had their accounts compromised. For users within Maine's jurisdiction specifically, **Meta** reported 30 accounts were affected.  While **Meta** stated it has no definitive information on what personal data was accessed or stolen, the nature of account hijacking means attackers potentially gained access to a broad range of sensitive information. This includes contact details (email and/or phone number), dates of birth, all social media posts and content (photos, videos, stories), direct messages and communications, account activity, profile information (biography, profile photo), and any other connected accounts or linked services. ### Meta's Swift Response and Remediation Upon discovering the exploit, **Meta** acted quickly to contain the breach. The company disabled the **HTS** AI-powered support system and invalidated all password reset links generated by the flawed process, effectively blocking further hijack attempts. **Andy Stone**, **Meta**'s vice president of communications, publicly confirmed the resolution, stating the "issue has been resolved, and we are securing impacted accounts." All potentially compromised accounts were enrolled in a mandatory security checkpoint, requiring affected users to reset their passwords and re-authenticate to regain control. Looking forward, **Meta** has pledged to fix the authentication check in the **Instagram** recovery entry point to ensure proper email verification before re-launching the tool. Furthermore, the company is conducting a comprehensive review of similar account recovery flows across all its platforms to identify and remediate any other potential vulnerabilities. ### A Pattern of Security Lapses This incident adds to a history of security challenges for **Meta**. In previous years, the company faced substantial fines from Irish regulators. In 2022, **Meta** was fined €265 million (approximately $275.5 million) for failing to protect **Facebook** users' data from scrapers, and an earlier €91 million (approximately $100 million) penalty for storing hundreds of millions of user passwords in plaintext. A 2018 data breach also led to a $264 million fine, exposing personal details of over 29 million **Facebook** accounts. These recurring issues underscore the critical need for continuous security vigilance, especially when integrating advanced AI systems into sensitive processes like account recovery.