Meta's AI Account Recovery System 'HTS' Exploit Leads to Hijacking of 20,000+ Instagram Accounts

News
Rishaj Upadhyay
Rishaj Upadhyay Shield
News Editor
News
Reading time icon 2 min. read

Calendar icon Published on

meta premium
Image credit: Meta

A security incident stemmed from Instagram’s own AI-assisted account recovery system (“High Touch Support” or “HTS”) has put Meta into damage-control mode. In an incident notification letter to Attorney General Aaron Frey by Meta‘s Associate General Counsel & Incident Response Legal, Hannah confirmed that up to “30 Instagram users in Maine” may have been affected by a vulnerability linked to a support tool that handled password resets.

However, in a separate report, Bleeping Computer mentions the actual number of hijacked accounts is somewhere around 20,000. The incident appears to center around accounts that did not have two-factor authentication enabled, which led to unauthorized access under some circumstances.

Earlier this month, in a reply to a user post on X, Andy Stone, who is VP Communications at Meta, said “This issue has been resolved and we are securing impacted accounts.” In case you are unaware, the vulnerable AI-assisted support tool was disabled immediately. At the same time, the company invalidated all password reset links generated through the affected workflow, ensuring any outstanding links could no longer be used.

Meta has reportedly also forced potentially affected accounts into additional security checks, requiring users to verify their identity before regaining access. Impacted users were instructed to reset passwords through official recovery channels.

Meta specifically noted that users without two-factor authentication faced the highest potential risk during the incident. It’s another reminder that even as platforms continue adding AI-powered tools and automated support systems, traditional account protections remain one of the strongest defenses available. We recommend all of you to use two-factor authentication to all your online accounts.

Meta also says affected users will receive notifications and guidance on enabling additional security measures, including 2FA, as the company continues its investigation.

More about the topics: AI, Cybersecurity, Meta

Rishaj Upadhyay

Rishaj Upadhyay Shield

News Editor

Rishaj is a tech writer who has been writing professionally for over four years, with a passion for Android, Windows, and all things tech. He initially joined Windows Report as a tech journalist and is now taking over as a news editor. When he's not breaking the keyboard, you can find him cooking, or listening to music/podcasts.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages