Meta has disclosed a security incident involving an Instagram account recovery tool after a bug allegedly allowed attackers to send password reset links to email addresses that were not connected to targeted accounts. According to a data breach notice filed with the Maine Attorney General’s Office, the issue affected 20,225 people in total, including 30 Maine residents, and exposed some users without two-factor authentication to account takeover risk.
Recovery Tool Bug Exposed Reset Process
The incident involved Instagram’s “High Touch Support” system, an AI-assisted account recovery tool designed to help users regain access when locked out of their accounts. As part of the process, users could request a password reset link by providing an email address.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Meta said the support tool itself functioned as designed, but a bug in a separate code path caused a serious validation failure. The system did not properly confirm that the email address entered during recovery matched the email address already linked to the Instagram account.
Because of that error, an unauthorized person could request a password reset for someone else’s Instagram account and have the reset link sent to an email address under their control. If the targeted account did not have two-factor authentication enabled, the attacker could reset the password and access the account.
Account Data May Have Been Accessible
Meta said it is not aware of exactly what personal information was viewed. However, the company listed several categories of account data that may have been accessible, including email addresses, phone numbers, dates of birth, profile information, posts, photos, videos, stories, direct messages, account activity, interaction history, and connected accounts or linked services.
The 30 Maine users identified in the filing were described as people whose passwords were reset through the support tool, who did not have two-factor authentication enabled, and whose Instagram accounts were likely accessed by an unauthorized party. Meta also said the number is an upper limit because some account activity may have been carried out by legitimate account owners.
After identifying the flaw, Meta said it disabled the AI-assisted support tool on the same day and invalidated all existing password reset links generated through the vulnerable path. The company also placed affected accounts behind a mandatory security checkpoint, requiring users to authenticate before regaining access.
Meta Plans Fixes Before Restoring Tool
Meta said impacted users are being instructed to reset their passwords and re-authenticate through secure channels. The company also plans to notify affected users electronically on June 19, 2026, and recommend that they review account security settings and enable two-factor authentication.
Before bringing the tool back, Meta said it will fix the authentication check in Instagram’s recovery flow so that password reset requests are verified against existing account information. The company also said it is reviewing similar recovery flows on Meta platforms to look for related issues.
The disclosure comes during a period of wider concern around Instagram account recovery systems. Separate reports mentioned in the article referred to attackers abusing Meta’s AI support bot to hijack major Instagram accounts and another password reset problem that reportedly exposed contact details of high-profile users. However, Meta’s Maine notice does not say those later reports were part of the same incident. The filing is limited to the AI-assisted High Touch Support recovery tool and the 20,225 users whose accounts may have been affected through that path.
