Cyber Incident Victim: Executive Office of the President

On May 31 2026 Meta’s internal security team discovered that the High Touch Support (HTS) tool, an AI‑powered account recovery feature designed to help users regain access after being locked out, was being abused by attackers who linked their own email addresses to target Instagram accounts and then reset the passwords. The attackers used the chatbot to request a verification code be sent to the email they supplied, entered the code when prompted, and were then presented with a password‑reset option that allowed them to take control of accounts that did not have two‑factor authentication enabled. By June 8 2026 Meta disclosed to the Maine Attorney General’s Office that approximately 20 225 Instagram accounts had potentially been affected, including the dormant Obama White House account, the Sephora brand account, and the US Space Force Chief Master Sergeant John Bentivegna’s profile, and that the exploitation had been uncovered after users reported hijacked accounts on platforms such as X and Reddit, where videos and step‑by‑step instructions circulated showing the attack chain.

In response, Meta immediately disabled the abused HTS tool, invalidated the password‑reset links generated through the vulnerability, and enrolled the affected accounts in a mandatory security checkpoint while forcing password resets to help legitimate owners regain control. The company stated it would send user notifications to the potentially impacted individuals, advising them to review their account security settings and enable two‑factor authentication. Meta’s associate general counsel Amber Hannah noted that while the total number of potentially affected individuals was reported as 20 225, the actual figure could be lower because some of the counted accounts may have been accessed by their legitimate owners rather than by hackers. Meta explained that the chatbot functioned as intended but a bug in a separate code path failed to verify that the email address supplied for a password reset matched the email on file, causing the system to send a reset link to an unassociated email. Before relaunching the support chatbot, Meta said it would fix the authentication check at the Instagram recovery entry point to ensure proper email verification.

Additional details from the attackers’ demonstrations showed that they often used a VPN to approximate the victim’s geographic location to evade Instagram’s location‑based checks, then engaged the Meta AI Support Assistant to request linking a new email to the target account; after receiving and entering the verification code, the chatbot displayed a password‑reset button despite the attacker never needing access to the victim’s original email. Meta’s vice president Andy Stone confirmed on X that the issue had been resolved and that the company was securing impacted accounts, noting that the AI support assistant had been launched in March 2026 to provide 24/7 help for account issues such as password updates and profile settings. Cybersecurity professionals quoted in the coverage characterized the incident as a reminder of the risks of deploying AI agents without sufficient identity verification constraints, though those statements reflect the commentators’ views and are included only as reported. The narrative ends here.