A flaw in one of Meta’s AI-powered tools let attackers take over more than 20,000 Instagram accounts. We’ll break down exactly how it happened and what it means for account security, as we sit down and sync up with Rocket IT’s weekly technology update.

In this week’s episode, you’ll hear more about:

• How a bug in Meta’s AI-powered support tool allowed attackers to take over Instagram accounts without ever knowing the password.
• Why two-factor authentication was the only thing standing between a secure account and a compromised one.
• The recovery nightmare users faced after being locked out, with no clear way to reach a real person.
• What it means for your business when the tools you already rely on are making AI decisions on your behalf.
• The steps you can take right now to make sure your accounts and data aren’t left exposed by a vendor’s choice.

Video Transcript

Meta recently disclosed that just over 20,000 Instagram accounts were hijacked through a vulnerability in an AI-assisted support tool. The tool at the center of this is something Meta calls High Touch Support, an AI-powered system designed to help users who get locked out of their accounts regain access. As part of that process, a user can request a password reset link be sent to their email, and in turn, regain access to their account. Now, in this scenario, the system itself worked as intended. But a bug in a separate piece of code meant it failed to verify one critical thing. It didn’t check whether the email address requesting the reset actually belonged to the account in question.

That gap is what attackers exploited. By requesting a password reset for an account they didn’t own and supplying their own email address, they received a working reset link for someone else’s account. From there they could change the password and take it over.

The one thing that stopped this from working was two-factor authentication. Accounts that had it enabled were protected, even when a reset link reached an attacker, because that second layer of verification still stood in the way. For accounts without it, that protection simply wasn’t there.

What made the situation worse was the aftermath. Many affected users found themselves unable to recover their accounts because Meta’s support process was almost entirely automated, with no clear way to reach a human. One user described spending six hours stuck in a loop with a chatbot that kept sending broken links. So not only did an AI tool open the door to these attacks, an AI support system left people with no real path to fixing it once they were locked out.

So, what does this mean for you? Two things stand out. The first is simple but worth repeating. Two-factor authentication was the deciding factor between an account that was compromised and one that wasn’t, so if you aren’t using it across your important accounts, that’s worth addressing right away.

The second point is bigger, and it’s really the heart of this story. You may be carefully weighing if and how to bring AI into your workflow, but here’s the reality. The platforms and tools you already rely on are making that decision for you. Meta chose to put AI into a sensitive account recovery process, and when that decision went wrong, it was their users who paid the price with their data, not Meta. You can do everything right on your end and still be exposed by a choice a vendor made on your behalf. That’s why understanding where your data lives, who has access to it, and what protections you control directly has never been more important.

If you want help understanding where your business data is exposed or making sure protections like two-factor authentication are in place where they matter most, reach out to Rocket IT using the link in this video’s description. And to stay up to date on the trending technology news, hit subscribe and the bell to catch us on next week’s episode of Sync Up with Rocket IT.