Meta's Account Recovery Tool Vulnerability Exposes 20,000+ Instagram Users to Unauthorized Password Resets
- Jun 8
- 4 min read
Key Findings
Meta's AI-powered Instagram account recovery tool, known as High Touch Support (HTS), contained a critical flaw that exposed over 20,000 accounts to unauthorized password resets
The vulnerability existed for approximately seven weeks, from April 17 to early June 2026, before Meta discovered it on May 31
The flaw allowed attackers to request password reset links for any Instagram account and have them sent to email addresses they controlled, bypassing identity verification entirely
Accounts without two-factor authentication enabled were fully compromised, exposing all user data including messages, posts, contact information, and linked services
Meta discovered the problem internally; the breach went undetected for roughly six weeks before anyone noticed
The fix was elementary: verifying that submitted email addresses matched the account on file before generating reset links
Background
Instagram's High Touch Support tool was designed as a user-friendly account recovery system. When someone got locked out, they could provide an email address and receive a password reset link to regain access. The concept was straightforward and intentional. What made it dangerous was what the developers forgot to build in: basic email verification.
The tool never checked whether the email address supplied by the person requesting the reset actually belonged to the account being recovered. This meant anyone with knowledge of a target's username could request a reset link for that account, have it sent to their own email inbox, and walk straight into the compromised profile if the victim hadn't enabled two-factor authentication as a secondary safeguard.
Timeline and Discovery
The vulnerability remained active from April 17 through early June 2026. Meta's internal security team discovered the breach on May 31, meaning the tool was operating with an open door for approximately six weeks before anyone caught it. The fact that the company only detected the problem after it had been exploited for that long is significant, particularly for a tool handling account recovery in a security-critical context.
Once discovered, Meta moved decisively. The company disabled HTS entirely on May 31, invalidated every password reset link the vulnerable system had generated, enrolled all potentially affected accounts into mandatory security checkpoints, and forced full password resets with re-authentication across the board.
Scope of Compromise
Meta confirmed that 20,225 Instagram accounts were compromised through this vulnerability. The company's data breach notice to Maine's Attorney General specified that 30 Maine residents were affected. The filing carefully noted that this represents an upper limit, as some account activity may have been carried out by legitimate account owners who regained access.
When an attacker successfully reset a password and accessed a compromised account, they gained complete visibility. This included email addresses, phone numbers, dates of birth, profile information, posts, photos, videos, stories, direct messages, account activity, interaction history, and any connected or linked services. It was total access, not a partial exposure.
The Technical Flaw
The mechanism behind the vulnerability reveals why it slipped through development. The HTS tool would send password reset links to whatever email address a requester supplied without cross-checking it against the account's actual registered address. Upon receiving the reset link, an attacker could generate a new password. If the legitimate account owner hadn't activated two-factor authentication, the account was now fully compromised and the original owner was locked out.
The fix in retrospect is embarrassing. Meta needed to verify that any submitted email address matched the account on file before generating a reset link. This validation should have existed from day one. Instead, it became a patch applied after the vulnerability was discovered and exploited at scale.
Broader Platform Review
Meta's response included more than just fixing HTS. The company announced it would conduct a comprehensive review of similar account recovery flows across all its other platforms, including Facebook and WhatsApp. This suggests Meta isn't fully confident that HTS was the only tool with this kind of verification gap. The scope of that review remains unclear, but the company's own concern points to potential systemic issues in how it approaches account recovery across its ecosystem.
Notification and User Action
Meta informed affected users through official channels and recommends they review their account security settings and enable two-factor authentication. The company plans to reach out to impacted users electronically and provide guidance on securing their accounts moving forward. For users concerned about their Instagram security, Meta advises reviewing recent login activity, removing unfamiliar linked accounts, updating passwords, and enabling two-factor authentication through authenticator apps or security keys.
Regulatory and Historical Context
This incident has drawn scrutiny from state-level regulators. California Attorney General Rob Bonta and 39 other state attorneys general have urged Meta to strengthen its protections against account takeovers, arguing that current measures are insufficient. The HTS vulnerability adds another entry to Meta's breach history. The company has previously faced significant fines, including 264 million euros from Ireland over a 2018 Facebook breach exposing 29 million accounts, 265 million euros in 2022 for failing to protect user data from scrapers, and 91 million euros for storing hundreds of millions of passwords in plaintext. The pattern suggests persistent security lapses despite substantial financial penalties and regulatory pressure.
Sources
https://securityaffairs.com/193307/ai/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts.html
https://hackread.com/instagram-recovery-tool-bug-accounts-password-reset/
https://www.agentupdate.ai/news/meta-ai-instagram-password-reset-vulnerability

Comments