Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Instagram account data exposed through Meta HTS recovery flaw

Data Leak
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

Instagram account data was exposed after a flaw in Meta’s High Touch Support (HTS) recovery flow let unauthorized third parties receive password reset links for 20,225 accounts. The exposed material included contact information, dates of birth, posts and media, direct messages, account activity, profile information, and connected accounts. Meta disabled the vulnerable path, invalidated reset links, and notified potentially impacted users.

Related Happenings

Instagram High Touch Support password reset security flaw

Vulnerability
First: 08.06.2026 09:00 Last: 08.06.2026 09:00 Sources 1

How related: The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,

About this happening: **Meta's High Touch Support (HTS)** flaw enabled attackers to trigger **Instagram password resets**, creating account-takeover risk for **over 20,000 users** and weakening protect...

Open Happening

Meta AI-powered support tools abused in Instagram account recovery flow

Security Tool/Service
First: 02.06.2026 18:47 Last: 02.06.2026 18:47 Sources 1

How related: The tool is meant to help users locked out of their Instagram accounts regain access by sending them a new password link.

About this happening: **Instagram accounts** were hijacked after attackers abused **Meta’s AI-powered support tools** to pass recovery checks and change the recovery email, creating a direct failure in...

Open Happening

Instagram accounts for Obama White House hit by account takeover attack

Incident
First: 01.06.2026 20:32 Last: 01.06.2026 20:32 Sources 1

How related: Unauthorized third parties gained access to thousands of Instagram accounts by exploiting a vulnerability in an AI support tool, Meta has revealed.

About this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...

Open Happening

Instagram private profiles server-side authorization failure security flaw

Vulnerability
First: 31.01.2026 16:27 Last: 31.01.2026 16:27 Sources 1

About this happening: A **server-side authorization failure** in **Instagram private profiles** exposed links to private photos in **HTML responses**, allowing **unauthenticated visitors** to reach con...

Open Happening

U.S. Supreme Court hit by network compromise

Incident
First: 19.01.2026 18:04 Last: 19.01.2026 18:04 Sources 1

About this happening: The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...

Open Happening

Timeline

  1. 08.06.2026 11:00 1 articles · 9h ago

    Meta finds Instagram password-reset verification bug in HTS tool

    Technical Analysis Update

    Meta discovered on May 31, 2026 that the AI-powered High Touch Support (HTS) recovery tool failed to verify whether the email address in an Instagram password-reset request matched the account’s registered email address, allowing reset links to be sent to an unassociated email address.

    Show sources
    Open in new tab
  2. 08.06.2026 11:00 2 articles · 9h ago

    Meta discloses exposure of 20,225 Instagram accounts through HTS flaw

    Initial Disclosure

    Meta disclosed that unauthorized third parties used the HTS flaw to obtain password reset links and access 20,225 Instagram accounts, exposing contact information, dates of birth, social media posts and content, direct messages, account activity history, profile information, and connected accounts. Meta disabled the AI-assisted HTS support tool and vulnerable code path, invalidated existing reset links, enrolled affected accounts in a mandatory security checkpoint, and urged users to reset passwords, reauthenticate, and enable two-factor authentication.

    Show sources
    Open in new tab