Meta HTS bug let hackers seize over 20,000 Instagram accounts
Meta just admitted a big slip-up: a bug in its account recovery tool (HTS) let hackers grab control of more than 20,000 Instagram accounts.
All they had to do was link fake emails and request password resets.
Even major accounts like Barack Obama White House account, Sephora, and the Space Force Chief Master Sergeant were reportedly affected.
Meta shut down HTS, strengthened security
The breach may have begun as early as April 17, 2026, but Meta only caught it on May 31.
Hackers used VPNs to pretend they were the real account owners and slipped past weak email checks.
After spotting the problem, Meta shut down HTS, canceled all sketchy reset links, and rolled out extra security for affected users.
If you didn't have two-factor authentication (2FA), you were especially at risk.
Meta says it will strengthen email verification for the recovery tool and review similar recovery systems across its platforms.