The social media giant Meta has disclosed a data breach to government regulators, noting that bad actors gained access to up to 20,225 accounts.
Meta notes the exploit happened in April and involved “High Touch Support,” Instagram’s AI-assisted account recovery system, per a letter to the Office of the Maine Attorney General.
Amber Hannah, Meta’s associate general counsel, says unauthorized third parties hijacked the tool to gain access to people’s accounts.
“The tool itself worked properly and functioned as intended; however, due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.
As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own.”
Meta discovered the breach at the end of May. Hannah says the company still isn’t certain what personal data was accessed in the exploit, but notes that contact info, birth dates, messages, posts, account activity, profile info and connected accounts could all be at risk.
Meta disabled High Touch Support and invalidated all existing password reset links that had been generated through the vulnerable code path.
However, the social media giant is not offering identity protection services to people whose accounts were impacted in the breach. Multiple law firms announced class-action investigations against the company.
Follow us on X, Facebook and TelegramFeatured Image: Shutterstock/A. Solano