Technical description
Update: Meta filed a formal data breach notification with Maine's Attorney General on approximately June 6–7, confirming that its AI-powered High Touch Support (HTS) Instagram account-recovery chatbot was exploited to compromise 20,225 accounts between April 17 and May 31, 2026. A bug in a separate code path failed to verify that the email address provided by a password-reset requester matched the email already associated with the target account. Attackers simply asked Meta's chatbot to link their email to any account, received a valid reset link, and took over accounts without 2FA. The class includes high-profile accounts belonging to the Obama White House, Sephora, and US Space Force personnel.
Attack vector
Social engineering of an AI-powered support chatbot: attacker submits a password-reset request supplying an attacker-controlled email address; the HTS tool skips the email-ownership verification step and mails a valid reset link to the attacker's address. No technical exploit or credential required — only a natural-language request to the chatbot.
Affected systems
Meta Instagram accounts that (a) used the HTS AI-assisted account-recovery workflow and (b) did not have two-factor authentication enabled. Approximately 20,225 accounts confirmed affected.
Mitigation
Meta has disabled HTS, invalidated all reset links generated during the period, enrolled affected accounts in mandatory security checkpoints, and forced password resets. Users should: (1) enable 2FA on all Meta accounts immediately; (2) review account-activity logs for the April 17–May 31 window; (3) audit any linked third-party apps. Enterprises using Meta AI integrations should verify authentication checks in any AI-assisted account or access flows before re-enabling them.