AI NewsNews

Instagram account recovery bug may have affected 20,225 people

Published: Updated:

Meta reported an Instagram account-recovery flaw that could send a password-reset link to an email address not associated with the account.

Meta said a flaw in Instagram's account-recovery process may have affected 20,225 people. The incident involved AI-assisted High Touch Support, but the cause was more specific than a chatbot simply being persuaded to hand over an account.

What was the bug?

According to Meta, the support tool worked as designed, while a separate code path failed to verify that the email address supplied for a password reset belonged to the account owner. A reset link could therefore be sent to an unrelated address. Accounts without two-factor authentication were the most exposed.

What is the practical lesson?

This was an authorization bug in an account-recovery workflow, not proof that every AI chatbot can take over an account by itself. The lesson still matters: an agent must not bypass hard identity checks, and access-related operations need separate controls, logs, and limits.

Instagram users should enable 2FA and review active sessions and the email address attached to the account.

Source: - SecurityWeek: Meta disclosure and flaw details

Tags
CybersecurityInstagramMetaAccount recovery

Questions this entry answers

  • What caused the Instagram account recovery breach?
  • How should AI-assisted account recovery be secured?

Seeing a similar issue in your company?

If this entry touches a process, dataset, or implementation problem you already see in your business, it is usually better to start with a short diagnosis than chase the next fashionable AI feature.

Related newsroom entries