Published: · Region: Global · Category: cyber

CONTEXT IMAGE
American multinational technology conglomerate
Context image; not from the reported event. Photo via Wikimedia Commons / Wikipedia: Meta Platforms

Meta AI Support Bug Exposes 20,000+ Instagram Accounts to Takeover Risk

Meta says a flaw in its AI-powered High Touch Support tool let attackers hijack 20,225 Instagram accounts by requesting password resets without proving they owned the email tied to the account. For small businesses, influencers and activists who run their lives through a single handle, the bug turned automated ‘support’ into a backdoor. This piece explains what went wrong, who was exposed, and what the failure reveals about rushed AI in security workflows.

An AI shortcut in Meta’s support system has turned into a major security failure for thousands of Instagram users. The company has disclosed that its AI‑powered High Touch Support tool contained a flaw that allowed attackers to request password reset links for accounts without verifying that the submitted email actually matched the target profile. In practice, that meant anyone could trigger password resets for accounts that did not have two‑factor authentication enabled, opening the door to mass account hijackings.

Meta says the vulnerability was abused between 17 April and 31 May, when the company finally detected the pattern, shut down the tool, and invalidated all generated reset links. By then, attackers had been able to compromise 20,225 Instagram accounts, according to the company’s own figures. Those profiles range from ordinary users to businesses, influencers, and potentially journalists or activists who rely on Instagram as a primary channel for communication and income.

The bug sat at a critical junction in the support process: the moment when a system decides whether to trust a request to take over an account. High Touch Support was designed to streamline interventions for users who needed extra help regaining access, using AI to assess and act on requests at scale. But by failing to cross‑check that a recovery email matched the account on file, the tool reversed the normal security logic — effectively trusting the requester first and asking questions later.

For affected users, the impact goes beyond the loss of photos or follower counts. Many small businesses and creators run their customer outreach, sales funnels, and sponsorship deals through Instagram, with direct messages doubling as a de facto CRM system. A hostile takeover can mean lost revenue, damaged reputations, and exposure of private conversations. For activists and journalists, especially in repressive environments, a compromised account can expose networks of contacts and give adversaries a powerful tool for impersonation or intimidation.

The incident also sharpens a broader concern: how far companies are pushing AI into security‑sensitive workflows before those systems are mature. High Touch Support was meant to make the process faster and more efficient, reducing the burden on human support staff. Instead, its failure mode created a scalable attack vector that bad actors could exploit repeatedly and cheaply over six weeks. The episode shows that when AI is placed at the gate of identity and access, design flaws can translate directly into real‑world harm.

For regulators and policymakers, Meta’s disclosure will be another data point in debates over platform accountability. Data‑protection authorities in jurisdictions with strong privacy laws may scrutinize whether Meta implemented adequate safeguards before deploying AI in account recovery and whether it responded quickly enough once abuse began. Lawmakers already skeptical of big tech’s rapid integration of AI into core systems will see in this case a concrete example of what happens when convenience trumps verification.

Meta’s remediation steps — pulling the tool, invalidating links, and notifying affected users — close the immediate breach but do not resolve the underlying trust problem. Users have little visibility into how AI is used in critical support decisions and virtually no say in whether their accounts are subject to automated or human review. The company’s own numbers suggest that two‑factor authentication would have blocked many of the hijackings, but adoption remains low, especially among casual users and small businesses.

The most resonant takeaway is straightforward: automation without verification is not support, it is a vulnerability waiting to be discovered. The key signals to watch now are whether Meta faces regulatory action or class‑action litigation, how quickly it rebuilds its account‑recovery pipeline with stricter checks, and whether other platforms quietly reassess where they have let AI make security‑critical calls without enough human or technical oversight.

Sources

Related Coverage

GLOBAL

G7 Oil Sanctions Threat and Canada’s New Measures Squeeze Russia as Prices Slide

G7 leaders have signaled fresh support for Ukraine and warned Russia of new oil-focused sanctions, as Brent crude slips below $80 a barrel. Canada has already rolled out a sweeping package targeting Moscow’s shadow fleet, energy revenues, defense industry and disinformation networks, while Trump hints Washington could tighten measures as prices fall. The piece explains how lower oil benchmarks are creating political room to turn the screws on the Kremlin.
FORECAST

Iranian Oil Export Expectations Push Brent Into Lower Trading Range Despite Russia Risks

Global · 7d
GLOBAL

US B‑52 Crash in California Raises Questions Over Strategic Bomber Safety

A US Air Force B‑52 strategic bomber crashed shortly after takeoff from Edwards Air Force Base in California, with American media reporting eight dead, including military personnel and contractors. The loss of one of Washington’s nuclear‑capable workhorses is a grim reminder that even peacetime operations carry risks for the crews who underpin US deterrence.
EASTERN EUROPE

Ukraine Moves to Build Dedicated Cyber Forces, Turning Hackers Into a Front‑Line Service Branch

Kyiv is preparing legislation to create a standalone Cyber Forces branch inside the armed forces, with its own units, research infrastructure, reserve and million‑hryvnia bounties for successful strategic operations. The move cements cyberspace as a formal battlefield in the Russia‑Ukraine war and raises the stakes for governments and critical infrastructure far beyond the front line.
WARNING

Reports: Ukrainian Drone Strike Halts Moscow’s Main Refinery, Knocking Out Half Output

Reuters and Ukrainian channels say a Ukrainian drone attack early 16 June forced Gazprom Neft to suspend operations at Moscow’s largest refinery after a key crude unit providing 53% of capacity was hit. The outage hits the core fuel supplier for the Moscow region, raises new questions over Russia’s ability to protect strategic assets, and adds war-risk premium to refined products markets.
WARNING

Reports: Ukrainian Drone Strike Shuts Moscow’s Largest Refinery, Knocking Out Half Capacity

Reuters‑cited industry sources say a Ukrainian drone attack around 14:50–15:00 UTC halted operations at Gazprom Neft’s Moscow refinery, after a primary unit handling 53% of throughput was hit. The plant is the main fuel supplier to the Moscow region, making this one of the most strategically significant strikes on Russian energy infrastructure to date, with implications for Russia’s war economy, civil resilience and energy markets.