Pierluigi Paganini
June 08, 2026
Meta’s High Touch Support tool, known as HTS, was designed to help Instagram users recover locked accounts: you provide an email address, you get a password reset link. The flaw was equally simple: the tool never checked whether that email actually belonged to the account being recovered. Anyone could request a reset link for any account, have it land in their own inbox, and walk straight in, provided the target hadn’t enabled two-factor authentication.
The breach occurred from approximately April 17, 2026 until Meta pulled the tool in early June. That’s roughly seven weeks of an open door, and Meta only discovered the problem on May 31. The operation ran undetected for about six weeks before anyone inside the company noticed, which is a detail that tends to get buried under the headline number.
Meta disclosed that 20225 Instagram accounts were compromised after attackers exploited the flaw.
“We are writing to inform you that a vulnerability in an Instagram account recovery support tool was used to potentially compromise the Instagram accounts of 30 users in your jurisdiction.” reads a data breach notice filed with Maine’s Office of the Attorney General, Meta. “All accounts have been secured to prevent any continued unauthorized access.”
The mechanism is worth understanding precisely. The HTS tool sent password reset links to whatever email the requester supplied, without cross-checking it against the account’s actual registered address. Once an attacker reset the password that way, the original owner was locked out. What the attacker then had access to was everything: contact information, date of birth, direct messages, posts, stories, account activity, profile data, and any linked external services. Not a partial exposure. The whole account.
“On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram (‘High Touch Support’ or ‘HTS’) that was exploited by unauthorized third parties to perform password resets on Instagram user accounts.” continues the notice. “As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own. Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA).”
Once discovered, Meta moved quickly: it disabled HTS entirely, invalidated every reset link the tool had generated through the vulnerable path, enrolled all potentially affected accounts into a mandatory security checkpoint, and forced a full password reset and re-authentication for everyone impacted.
The fix before relaunch is straightforward in principle and embarrassing in retrospect: verify that any submitted email address matches the account on file before generating a reset link. That check should have been there from day one. Meta is also conducting a review of similar account recovery flows across all its other platforms, which implies the company isn’t fully confident HTS was the only tool with this kind of gap.
On user notification, Meta’s filing was careful with language. “As soon as practical, Meta intends to send user notifications to the potentially impacted users to inform them of this incident, recommend that they review their account security settings, and enable 2FA.”
Meta plans to notify potentially affected users and encourage them to review their security settings and enable two-factor authentication. California Attorney General Rob Bonta and 39 other state attorneys general urged Meta to strengthen its protections against account takeovers, calling current measures insufficient.
This isn’t Meta’s first appearance in this sequence. Ireland fined the company $264 million over a 2018 Facebook breach exposing 29 million accounts, €265 million in 2022 for failing to protect user data from scrapers, and another €91 million for storing hundreds of millions of passwords in plaintext.
The HTS incident adds a new entry: an AI support tool deployed in a security-critical context, performing privileged account actions, without the most basic identity verification in place. The tool was designed to help users get back in. It turns out it was equally good at helping strangers do the same.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Meta)
