Unauthorized third parties gained access to thousands of Instagram accounts by exploiting a vulnerability in an AI support tool, Meta has revealed.
Meta said it discovered the problem with the AI-powered High Touch Support (HTS) tool on May 31.
The tool is meant to help users locked out of their Instagram accounts regain access by sending them a new password link.
“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” Meta explained in a letter to the Main attorney general’s office (OAG).
“As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request.”
Read more on Meta security: Meta To Introduce Full Passkey Support for Facebook on Mobiles
As a result, the threat actors were able to receive password reset links for accounts they didn’t own, and log-in if the rightful account holder didn’t have two-factor authentication (2FA) enabled.
According to the regulatory filing, 20,225 Instagram uses had their accounts compromised in this manner. Among the data exposed by the security snafu were:
- Contact information (email address and/or phone number)
- Date of birth
- Social media posts and content (photos, videos, stories)
- Direct messages and communications
- Account activity and interaction history
- Profile information (biography, profile photo)
- Connected accounts and linked services
Clearing up the Mess
Meta said it took immediate steps to address the incident, including disabling the AI-assisted HTS support tool and vulnerable code path, and invalidating all existing password reset links.
The social media giant also enrolled affected accounts into a “mandatory security checkpoint” preventing authentication before account access. It told impacted users to reset their passwords and reauthenticate through secure, verified channels.
“Prior to re-launching the tool, Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated,” the firm added.
“Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues.”
The firm is writing to individuals potentially impacted by the incident, urging them to review account security settings and enable two-factor authentication.
Image credit: Pavel105 / Shutterstock.com
