securityweek.com via Reddit

Meta HTS Bug Exposes 20,000 Instagram Accounts

meta cybersecurity ai-security

Key insights

  • Meta's HTS tool sent password reset links to any attacker-supplied email without verifying it matched the account owner's registered address.
  • Approximately 20,225 Instagram accounts were potentially affected, with high-profile victims including the Obama White House, Sephora, and US Space Force Chief Master Sergeant John Bentivegna.
  • Meta disabled HTS, reset affected passwords, invalidated malicious reset links, and enrolled impacted accounts in mandatory security checkpoints.

Why this matters

Meta's HTS was an AI-assisted support tool designed to reduce friction for account recovery, but the same automation that made it useful made it exploitable at scale, affecting over 20,000 accounts before detection. The breach demonstrates that AI integration into support workflows creates new authentication attack surfaces that standard security reviews often overlook, particularly when AI handles trust decisions like identity verification. For founders and technical leaders building AI-powered operations tools, this case is a direct prompt to audit whether AI-mediated workflows bypass verification steps that would be mandatory in non-AI code paths.

Summary

Meta's High Touch Support (HTS) tool, an AI-powered Instagram recovery feature, had a flaw routing password reset links to attacker emails without verifying account ownership. Hackers used this to hijack accounts without two-factor authentication. Victims include the Obama White House account, Sephora, and US Space Force Chief Master Sergeant John Bentivegna. Essentially: (Meta, Instagram users) a missing check in a privileged support tool created an account-takeover path. - 20,225 individuals potentially affected, per Meta's Maine AG filing. - Meta disabled HTS, reset affected passwords, and invalidated malicious reset links. - Breached accounts enrolled in mandatory security checkpoints, with 2FA notifications forthcoming. AI support tools are authentication surfaces and need the same adversarial testing.

Potential risks and opportunities

Risks

  • Instagram accounts of high-profile organizations (Obama White House, Sephora) may have had content, DMs, or linked ad accounts accessed before Meta revoked reset links.
  • Meta faces regulatory scrutiny from Maine's Attorney General and potentially other state AGs over the adequacy of its AI tool security review and breach notification timeline.
  • Other platforms using AI-assisted account recovery tools face pressure to audit similar workflows before researchers or attackers discover analogous email-verification bypass flaws.

Opportunities

  • Identity verification vendors (Okta, Jumio, Persona) can position mandatory email-ownership verification as a required layer in any AI-powered support workflow, marketing directly to Meta's competitor platforms.
  • Bug bounty programs and security researchers now have a clear template for testing AI-assisted support tools at major platforms for similar email-verification bypass flaws.
  • Two-factor authentication adoption campaigns gain a concrete, high-profile case to drive 2FA enablement among Instagram's user base, given Meta's own recommendation in its breach notifications.

What we don't know yet

  • How long HTS was actively exploited before Meta identified the flaw: the article provides no detection timeline or first-known attack date.
  • Whether the actual count of hijacked accounts has been determined, versus the 20,225 individuals Meta flagged as potentially affected in its Maine AG filing.
  • What security review process Meta applies to AI-powered support tools before deployment, and whether HTS underwent adversarial testing for authentication bypass.

Originally reported by securityweek.com

Read the original article →

Original headline: Meta Says 20,000 Instagram Accounts Compromised Through Abuse of Its AI Account-Recovery Tool