I spent four years in Tokyo writing payments software, and the code I was most afraid of was never the code that moved money. It was the code that let someone back into their account after they had lost it.
Account recovery is the unlocked back door of every system you have ever used. Get login wrong, and a real user cannot get in. Get recovery wrong, and anyone can become them. In payments, we treated that path as sacred: step-up verification, identity binding, hard checks that no support agent could wave away. Not because we were clever, but because we were scared of exactly the thing that just happened to Instagram.
In late May 2026, high-profile accounts started falling, including the official Obama White House account and the account of the Chief Master Sergeant of the U.S. Space Force. My first assumption was that someone had found something exotic. A zero-day. A leaked signing key. Something that deserved a target that size.
Then I read how it was actually done, and I had to put my coffee down.
The attack was a conversation
There was no malware. No exploit code in the traditional sense. Attackers talked Meta’s AI-powered support agent, a system Meta calls High Touch Support, or HTS, into handing over accounts. Meta has since confirmed the shape of it in a breach notice. Here is the chain, stripped to its bones:
According to security researchers, the AI would sometimes ask for a video selfie to prove identity, and an AI-animated version of a public photo from the target’s own feed was reportedly enough to satisfy it.
Here is the part that should bother every engineer reading this. Because the system treated the request as a high-privilege recovery by the genuine owner, it bypassed the victim’s two-factor authentication entirely. Sessions were revoked. The password was changed. And the real owner got no email, no text, no push. Nothing. By the time they noticed, the recovery email and phone number already pointed at the attacker. There was no human to escalate to. Just a chat window, and the hope it would not happen again.
Meta confirmed that 20,225 accounts were compromised before it caught the flaw on 31 May. The fix was almost insultingly simple once they looked: verify that the email actually belongs to the account before starting a reset. Which leaves the only question worth asking.
The check that quietly disappeared
It is tempting to file this under “AI did something stupid.” That misses the lesson, and the lesson is the whole point.
The deterministic recovery flow, the boring, old, form-based one, had a check buried inside it: is this email already associated with this account? When Meta routed recovery through an AI agent, that check quietly disappeared. Not because the AI was dumb. Because the AI was handed the authority to perform a reset without being given the ability to verify who it was talking to.
That gap has a name, and it is decades old. It is the confused deputy: a component with real privileges, tricked by someone who has none, into using those privileges on their behalf. The AI was the deputy. The attacker simply asked it to do its job, for the wrong person. It is the same failure mode I keep returning to when I write about securing systems when the attacker has agents too, only this time the deputy was wearing a support badge.
Capability is what a system can do. Authority is what it is allowed to do. This exploit lived entirely in the gap between the two.
We put a non-deterministic, endlessly persuadable component directly on top of a deterministic trust boundary, and then acted surprised when it could be persuaded.
We are all about to make this mistake
Right now, every company you can name is racing to bolt an LLM agent onto something that used to be a deterministic workflow. Support. Provisioning. Refunds. Account changes. The pitch is always the same: let the agent handle it.
I have a golden rule for adding AI to a system, and it moves in one direction only: prompt, then retrieval, then tools, then agents, and only then fine-tuning. You earn each step by hitting a real wall with the one before it. Meta skipped to the end of that ladder for one of the most sensitive operations a platform owns, and earned nothing but a breach disclosure and twenty thousand hijacked accounts.
An agent that can be talked into things must never hold a privilege that a human would need to verify identity to exercise. Let the agent assist. Keep the irreversible, high-privilege action, the reset, the refund, the deletion, behind a deterministic gate it cannot talk its way past.
There is one more detail worth sitting with. The exploit largely failed against accounts that had multi-factor authentication enabled. So yes, turn on app-based MFA today, on everything. That is the practical takeaway, and it is real.
But notice why MFA saved those users. It was not because the recovery design was sound. It was because MFA happened to sit outside the broken flow. A downstream control caught what an upstream design should never have allowed. That is luck wearing the costume of security. Build a system that needs that kind of luck, and eventually you run out.
The frightening thing here was never that an AI did something foolish. It is that a company worth more than a trillion dollars shipped a recovery flow where asking nicely was enough, and it ran for weeks before someone with the right username made it impossible to ignore.
We are about to hand agents real authority over real systems. The question was never whether they are smart enough. It is whether we have decided, in advance, what they are allowed to do when they are wrong.
Details of the incident are drawn from Meta’s public breach disclosure and reporting by security researchers and outlets covering the May to June 2026 High Touch Support takeover. Figures Meta has confirmed (the roughly 20,000 affected accounts, the 31 May discovery, the unverified-email flaw) are stated as such; the finer mechanics of the attack are as reported and may evolve as more is disclosed.