Account recovery is one of the worst places to improvise. It is the narrow bridge between "I lost access to my account" and "someone else now owns it." If a company wants to automate that bridge, the automation has to be more skeptical than a human support agent, not less.

Meta found this out through Instagram's High Touch Support system, an AI-assisted account recovery workflow meant to help users regain access after being locked out. In early June 2026, Meta disclosed that attackers had used a vulnerability in that workflow to hijack 20,225 Instagram accounts. Reports from KrebsOnSecurity, BleepingComputer, and Help Net Security described the same core failure: the system could send password reset links to an email address that was not actually associated with the target Instagram account.

That is not an exotic LLM exploit. It is worse in a more basic way. The recovery system had one job that mattered above every other job: prove that the person requesting a reset controlled something already tied to the account. Instead, a bug in the recovery path allowed an attacker-controlled address to receive the reset link. If the target account did not have two-factor authentication enabled, the attacker could reset the password and log in.

The Recovery Shortcut

Meta described the tool as functioning as intended except for a separate code path that failed to check whether the email address supplied during recovery matched the account. That distinction may matter internally, but it does not help the user whose account was taken. From the outside, the AI-assisted support workflow accepted a recovery request, issued a reset link to the wrong address, and created an account takeover.

KrebsOnSecurity reported that instructions circulated on Telegram showing how to trick Meta's AI support assistant into resetting account passwords. The attack pattern described in public reporting was blunt: use a VPN to appear geographically close to the target, request recovery, ask the assistant-driven support path to link or use an attacker-controlled email address, then receive a reset code or link. Publicly visible victims reportedly included high-profile Instagram accounts, including accounts associated with the Obama White House and the Chief Master Sergeant of the U.S. Space Force, along with short and valuable usernames that are attractive to account thieves.

Meta later told regulators that it discovered the vulnerability on May 31, 2026. Help Net Security reported that the Maine Attorney General filing listed April 17 as the incident date, which suggests unauthorized access may have started weeks before discovery. BleepingComputer reported the affected count as 20,225 Instagram users.

The AI Part Matters

A narrow reading could file this under "bad password reset validation" and move on. That would miss why this belongs here.

The AI layer did not need to be conscious, malicious, or unusually clever. It merely had to sit in front of a sensitive recovery operation and make the wrong path easier to trigger. Account recovery has always been vulnerable to social engineering because support agents are trained to help frustrated users. Replacing or augmenting that agent with an assistant does not remove the social engineering problem. It can scale it.

Human support can be pressured, tricked, rushed, or badly trained. An AI support assistant adds a different failure mode: it can make a privileged workflow feel like a normal chat. If the back-end checks are airtight, that can be survivable. If the back-end checks are loose, the bot becomes a friendly interface for account theft.

The reported failure also shows the danger of treating "support convenience" and "identity assurance" as if they can be optimized by the same system. Users locked out of Instagram want less friction. Attackers want exactly the same thing. A recovery assistant that reduces friction without binding every step to verified account ownership is useful to both groups.

The Data Exposure

Meta said it did not know exactly what information attackers accessed from compromised accounts. That uncertainty is not comforting. Once an attacker controls an Instagram account, they may be able to view or manipulate contact information, profile information, posts, photos, videos, stories, direct messages, account activity, linked services, and other connected account data depending on the account and the session.

This was not just a support transcript leak or a brand embarrassment. It was an account takeover path through a recovery system. That makes the blast radius personal, reputational, and financial. High-value handles can be resold. Public accounts can be defaced. Private messages can be read. Linked services can become next-step targets.

The public reports also make clear that two-factor authentication mattered. Accounts with MFA enabled were harder to take over through this route, while accounts without it were exposed once the attacker received the reset link. That is useful advice for users, but it should not become a way to launder responsibility away from the platform. MFA is a second line of defense. It is not permission to let an account recovery system send password reset links to strangers.

The Shutdown

After discovering the incident, Meta disabled the affected HTS workflow and invalidated password reset links generated through the vulnerable path. It also required additional authentication steps for potentially affected accounts and told impacted users to reset passwords and re-authenticate. Before relaunching the tool, Meta said it would fix the email verification check in the Instagram recovery entry point and review similar account recovery flows across Meta platforms.

That last promise is the quiet admission that matters. This was not only a one-off bug in one chat interface. It was a warning about every similar place where AI support meets identity, recovery, billing, refunds, profile changes, or security settings. If the assistant can initiate a privileged action, the system behind it must assume the assistant will be manipulated.

Why This Belongs in the Graveyard

This is one of the clearest examples of the customer-support AI failure mode turning into real security harm. It has the pieces that companies keep insisting they can safely combine: a frustrated user journey, a conversational assistant, a high-value account system, and a workflow designed to move faster than human support.

The failure was not that the bot wrote a silly answer. The failure was that the support automation touched account recovery and the surrounding software allowed the wrong person to receive the key. That is a much higher-stakes version of the same pattern seen in smaller AI support failures: the company gains speed and scale, then discovers that the automated layer is now part of the security perimeter.

A competent account recovery system starts from distrust. Meta's AI-assisted support path appears to have started from helpfulness, then depended on a broken check to keep that helpfulness from becoming account takeover. Attackers found the gap and used it at scale.