Instagram Account Hijacking: How Meta’s AI Support Tool Leaked 20,000 Logins

10. June 2026 Cybersecurity 0
Instagram Account Hijacking: How Meta’s AI Support Tool Leaked 20,000 Logins

A mass Instagram account hijacking campaign has exposed an uncomfortable truth about AI-powered customer service: attackers stole more than 20,000 accounts simply by asking Meta’s support bot to hand them over — and it worked.

Meta confirmed the breach affected 20,225 Instagram users after threat actors abused a flaw in its AI-assisted account-recovery system. The targets ranged from short, high-value usernames prized on underground markets to marquee profiles, including the Obama White House account and the page of a senior U.S. Space Force official.

How the Instagram Account Hijacking Worked

The Instagram account hijacking exploited a tool called High Touch Support (HTS), an AI-assisted system that helps users regain access after being locked out. The fatal weakness: HTS never verified whether the email address a requester supplied was actually tied to the targeted account.

  • The trick: Attackers asked the support system to link a victim’s account to an email address under their own control.
  • The payoff: HTS issued a password-reset link to that attacker-controlled email, granting full access.
  • The bypass: Accounts without two-factor authentication (2FA) enabled could be taken over outright.
  • The cover: Attackers routed through VPNs to appear in the same geographic region as their targets, defeating location checks.

Who Got Hit

Beyond the high-profile names, the campaign zeroed in on short “OG” handles that resell for thousands of dollars. According to reporting by BleepingComputer, Meta discovered the abuse on May 31, 2026, though a regulatory filing in Maine lists the breach date as April 17 — suggesting the attackers operated for weeks before detection.

Why an AI Support Tool Became the Weak Link

This Instagram account hijacking is a textbook case of automation outrunning its own guardrails. A human support agent would likely have paused at a request to redirect a famous account’s recovery email to an unknown address. The AI system, optimized to resolve lockouts quickly, skipped the identity check that should have been non-negotiable.

As companies replace human reviewers with chatbots across support, fraud, and identity workflows, the attack surface shifts. Convenience features that speed up legitimate users can just as easily speed up attackers when verification logic is weak.

How to Protect Your Account

Meta says it has fixed the flaw and notified affected users, but the episode is a reminder to harden your own defenses:

  • Turn on two-factor authentication — ideally with an authenticator app rather than SMS.
  • Use a unique, strong password and a password manager.
  • Review the email addresses and login activity listed in your account security settings.
  • Treat unexpected password-reset emails as a red flag and secure the account immediately.

The bigger lesson lands on the platforms: AI support systems now sit squarely inside the cyberattack surface, and they need verification as rigorous as the human processes they replace.

Related on DAILYSIM: Trump’s new AI security order and Anthropic’s warning on self-improving AI.