Meta Data Breach Impacts 20,225 U.S. Instagram Users

Meta Platforms Inc., the parent company of Facebook, Instagram, WhatsApp and Messenger, disclosed a data breach involving its Instagram platform that affected approximately 20,225 individuals in the United States. The company discovered the breach on May 31, 2026.

Meta reported the breach to the attorneys general offices of Maine and Vermont on June 5, 2026. Meta plans to notify affected consumers electronically on June 19, 2026.

According to the company's disclosure, a vulnerability in an AI-assisted account recovery tool for Instagram was exploited by unauthorized third parties to perform password resets on user accounts.

The tool, known as "High Touch Support" or HTS, was designed to help users who were locked out of their Instagram accounts regain access. As part of the normal recovery process, users could request that a password reset link be sent to their email address. An internal bug prevented the system from confirming that the password reset email matched the email on the user’s Instagram account.

Because of this flaw, when someone provided an email address that was not linked to the account, the system incorrectly sent a password reset link to that unassociated email address instead of rejecting the request. This allowed unauthorized third parties to receive password reset links for accounts they did not own. Once they reset the password, they could log in to the account if the account holder had not enabled two-factor authentication.

The following categories of personal information may have been potentially accessible within the affected Instagram accounts: contact information (email address and phone number), date of birth, social media posts and content (photos, videos and stories), direct messages and communications, account activity and interaction history, profile information (biography and profile photo) and connected accounts and linked services.

Meta's response to the breach

To secure accounts that may have been compromised, Meta enrolled all potentially affected accounts into a mandatory security checkpoint. This checkpoint requires users to authenticate before gaining any account access, which prevents continued unauthorized use. The company also instructed affected users to reset their passwords and re-authenticate through secure, verified channels.

As a longer-term measure, Meta will fix the authentication check in the Instagram recovery tool to ensure proper verification of email addresses against existing account information before any password reset is initiated.

Meta plans to send electronic notifications to affected users informing them of the incident. The notifications will recommend that users review their account security settings and enable two-factor authentication.