Meta says hackers abused a flaw in an Instagram account recovery tool and may have gained access to more than 20,000 accounts. Here’s what happened, what information may have been accessed, and how you can better protect your account.
Table of Contents
What Happened?
Meta discovered the issue on May 31, 2026, and reported details to the Maine Attorney General’s Office. The company said attackers abused a flaw in its High Touch Support (HTS) tool, which helps users regain access to locked accounts.
Several high-profile Instagram accounts were reportedly taken over, including accounts linked to the Obama White House, Sephora, and U.S. Space Force Chief Master Sergeant John Bentivegna.
Who Was Affected and What Data Was Leaked?
Meta says approximately 20,225 Instagram users may have been affected. The final number could be lower because some password resets may have been performed by legitimate account owners.
The company has not confirmed exactly what information was accessed.
However, Meta said attackers may have been able to view:
- Profile information
- Email addresses
- Phone numbers
- Dates of birth
- Direct messages
- Social media posts
- Account activity and interaction history
Meta said it does not currently know whether personal information stored in affected accounts was actually accessed.
Even information such as your email address, phone number, messages, or account history can be valuable to criminals. It can be used to create convincing phishing emails, fake support messages, account impersonation attempts, or other fraud.
It is also important to remember that many people discover their information was involved in a breach months or even years later. Some incidents receive major news coverage, while others go largely unnoticed.
If you’re not sure whether your information was leaked somewhere online, checking regularly can help you spot problems earlier.
Futureproof monitors your email 24/7 for data leaks and gives clear steps to secure your account from scams. It helps you quickly check whether your email appeared in known data breaches and get simple steps to secure your account.
Futureproof scans your data for leaks and shows exactly how to close security gaps — before scammers find them first.
Check my safetyHow Did Attackers Take Over Instagram Accounts?
The attack did not involve stolen passwords or malware (harmful software that steals or damages information). Instead, attackers abused a bug in Meta’s account recovery system.
Users could ask the support tool to send a password reset link to an email address.
Because of a software bug, the system failed to properly verify that the email address belonged to the Instagram account owner. As a result, attackers could enter their own email address and receive a password reset link for someone else’s account.
At Futureproof, Kevin explains digital safety in simple words, with clear tips and zero fluff. He holds a degree in information technology and studies fraud trends to keep his tips up-to-date.
In his free time, Kevin plays with his cat, enjoys board-game nights, and hunts for New York’s best cinnamon rolls.
