Meta AI Support Hack Exposed 20,225 Instagram Accounts

Meta disclosed that 20,225 Instagram accounts were potentially affected after attackers abused an AI-assisted account recovery support tool, turning a help workflow into an account-takeover path. The incident was reported to the Maine Attorney General with an April 17, 2026 occurrence date, a May 31, 2026 discovery date, and electronic user notification listed for June 19, 2026.^[1]

The filing names Meta Platforms, Inc. and says the affected population includes 30 Maine residents. It does not describe a stolen password database or malware on user devices; the risk is different and more uncomfortable: the recovery process itself appears to have granted access when the wrong party persuaded the support flow to act on their behalf.^[1]

BleepingComputer reported on June 8 that the incident involved Meta’s High Touch Support tool, described as an AI-assisted system used to help locked-out Instagram users recover access.^[2] Earlier reporting by TechCrunch said attackers had been tricking Meta’s AI-powered support chatbot into granting access to victim accounts, including by changing account recovery details during a support conversation.^[3]

That matters because many account-security guides assume the attacker must steal a password, intercept a one-time code, or fool the victim directly. In this case, the sensitive action sat inside a trusted support channel. It is closer to a confused-deputy problem: a tool with recovery authority was allegedly convinced to use that authority for someone who should not have had it.

For howtofix.guide readers, the practical lesson overlaps with earlier account-takeover stories such as the Google AppSheet phishing campaign that hit 30,000 Facebook accounts, but the failure point is different. A strong password and no malware infection may not be enough if the platform’s own support automation can be pushed into resetting ownership.

What Instagram users should check now

If you receive a Meta or Instagram notice about the incident, or if you saw unexpected password-reset messages in late May or early June, start with the basics: change the Instagram password from a trusted device, review the account email and phone number, remove unknown sessions, and check whether any unfamiliar devices, apps, or business roles were added.

Enable app-based two-factor authentication if it is not already active, save fresh backup codes, and avoid using a public or easily guessed recovery email for high-value creator or business accounts. If the account is tied to a brand, document admin ownership outside Instagram so recovery does not depend on one person’s inbox or phone.

Meta’s own support-security messaging has promoted AI-assisted recovery as a way to speed up account help on Facebook and Instagram.^[4] The new disclosure shows why those systems need hard boundaries: identity verification, recovery-email changes, password resets, and 2FA bypass decisions should leave durable audit trails and should not be completed by a conversational agent alone.

Users should also be alert for follow-on scams. Account-takeover incidents often create fake “recovery specialist” pitches, paid support impersonators, and urgent messages claiming to restore access. That social-engineering pattern is familiar from fake IT support campaigns and from AI-themed malware lures such as the fake OpenAI privacy filter repository. Treat unsolicited recovery help as hostile unless it comes through the official app or a verified Meta channel.

References

1. Maine Attorney General, Data Breach Notice for Meta Platforms, Inc., filed June 2026. Notice record.
2. BleepingComputer, “Over 20,000 Instagram accounts stolen in Meta AI support hack,” June 8, 2026. Report.
3. TechCrunch, “Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access,” June 1, 2026. Report.
4. Meta, “Making it Easier to Access Account Support on Facebook and Instagram,” updated March 19, 2026. Company update.