Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta’s AI-powered support system to reset passwords.

As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company’s High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.

By exploiting the fact that HTS didn’t verify whether email addresses were associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled.