A Meta support tool emailed the keys to the wrong people — and 20,225 Instagram accounts paid for it

Cybersecurity 4 min 61 sources

A bug in Instagram's account-recovery tool sent password-reset links to strangers who simply asked. The accounts that survived were the ones with a second lock the bug couldn't reach.

Key takeaways

A bug in Instagram's account-recovery tool sent password-reset links to strangers who simply asked for them, and over 20,000 accounts were taken over.
The accounts that survived had two-factor authentication switched on — a second check the stolen reset links couldn't get past. Turning it on is the single best protection you control.
The same pattern showed up in a critical Check Point VPN flaw: the danger sat in an old, retired setting left switched on, not in the part anyone was actively guarding.

A reset link sent to the wrong inbox

Meta has told regulators that strangers took over more than 20,000 Instagram accounts by exploiting a flaw in one of its own support tools. [5][17] The company says it found the problem on May 31 in an AI-powered feature called High Touch Support, which is meant to help locked-out users get back in by emailing them a fresh password-reset link. [5]

The tool itself worked. The failure sat one step to the side. “Due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” Meta wrote in a letter to Maine’s attorney general. [5] In plain terms: if you asked for a reset and typed in your own email — not the account owner’s — the system sent the link to you anyway, instead of refusing. [5]

So the attackers asked for reset links to accounts they didn’t own, received them, and walked in. According to the regulatory filing, 20,225 Instagram users had their accounts compromised. [5]

The second lock that held

Here is the part worth carrying. The bug handed out reset links to anyone who asked — but a reset link alone wasn’t always enough. Meta says the intruders could log in only if the rightful owner hadn’t switched on two-factor authentication. [5]

Two-factor authentication, or 2FA, is a second check: after the password, the service also asks for a one-time code from your phone or an app. [5] A password-reset link gets an attacker past the first lock. It does nothing about the second. For accounts with 2FA on, the stolen reset link was a key to a door with a second deadbolt the attacker couldn’t reach.

That single setting drew the line between the accounts that fell and the accounts that didn’t. The owners who had turned it on weren’t smarter about Meta’s code — they couldn’t have known the bug existed. They just hadn’t trusted the password alone to be the whole defence.

For an ordinary person: if you have an Instagram, Facebook, email, or bank account without 2FA, turning it on is the highest-value few minutes you’ll spend this week. It’s usually under Settings → Security. It is the safeguard that keeps working when the company’s own systems quietly don’t.

A flaw in a protocol left switched on

A second story this week rhymes with the first. Check Point, which makes firewalls and VPN gear used by businesses, disclosed a critical flaw — rated 9.3 out of 10 — that attackers had already been exploiting for weeks. [11] A VPN, or virtual private network, is the encrypted tunnel remote workers use to reach a company’s internal systems from outside. [11]

The catch: the flaw lives in IKEv1, a method for setting up that tunnel that was built in 1998 and has been formally retired for years in favour of a newer version. [11] The vulnerable companies weren’t running cutting-edge software. They were running an old default nobody had switched off. Check Point says a few dozen organisations were targeted; researchers have linked at least one incident to a ransomware crew. [11]

The shared thread with the Meta breach isn’t the technique — it’s the location. The damage came not from the part anyone was guarding, but from an old setting left running on the assumption it was fine.

Spyware, in defiance of a court

In a separate matter, Meta-owned WhatsApp says it caught and disrupted a hacking attempt it has linked to NSO Group, the maker of the Pegasus spyware — and that the attempt broke a standing court order barring NSO from targeting WhatsApp users. [20][22] Meta has filed a contempt-of-court complaint. [22]

NSO sells surveillance tools to governments. A 2024 ruling found it liable for an earlier WhatsApp hack, and a court later issued a permanent injunction telling it to stop. [20] WhatsApp says it recently spotted a spear-phishing campaign — messages crafted to trick specific people into clicking malicious links — that it tied to NSO, along with test accounts the company set up on the platform. [22] NSO did not respond to requests for comment. [22] For most people this is not a personal threat; commercial spyware of this kind is aimed at journalists, activists, and officials, not the general public. [22]

02 · Lesson · why it matters

The lock you can't check, and the one you can

You depend on systems you can't see inside — so the only safeguard worth having is the one that still holds when they quietly break.

Two kinds of trust

When you log into Instagram, you are trusting two different things at once, and they are not the same kind of trust.

The first is trust in Meta’s code — that the password reset works, that the support tool checks who’s asking, that a thousand quiet routines behave the way they’re supposed to. You cannot inspect any of it. You don’t have the source code, and you wouldn’t read it if you did. You trust it the way you trust a bridge: by driving across and not falling.

The second is trust in something you set up yourself — a second check on your own account, a deadbolt you chose to add. You can see this one. You turned it on. You know it’s there.

This week showed what happens when the first kind of trust is misplaced and the second is all that’s left.

The bug was next to the thing that worked

Meta’s account-recovery tool did its job. It sent password-reset links to people who asked. The failure was one step to the side: a separate piece of code forgot to check that the person asking for the reset actually owned the account. So the link went to whoever typed in an email — including strangers.

Over twenty thousand accounts got handed out this way.

Notice where the damage came from. Not from the part Meta was watching — the reset tool worked fine. From the unguarded check sitting right next to it. You could not have predicted this. Nobody outside Meta knew that code path existed. The people whose accounts were taken did nothing wrong, missed no warning, ignored no advice. They simply trusted a system they had no way to audit, and the system had a flaw they had no way to see.

That is the ordinary condition of modern life. You run on systems you cannot check.

What actually drew the line

And yet — the attack didn’t work on everyone. The stolen reset link got an intruder past the password. It did nothing about the second lock. Accounts with two-factor authentication switched on — the extra code from your phone — held. The reset link was a key to a door with a second deadbolt the attacker’s key couldn’t touch.

So the line between the accounts that fell and the accounts that survived wasn’t intelligence or vigilance. The survivors didn’t know about the bug. They couldn’t have. The only thing that separated them was that they hadn’t trusted the password alone to be the whole defence. They had added one safeguard of their own — the one kind they could actually see and control.

The same shape appeared in a second story. A critical flaw in business VPN software lived inside a method built in 1998 and retired years ago, still switched on by default. The companies hit weren’t running anything exotic. They were trusting an old setting nobody had turned off. Again: the damage came not from the guarded part, but from the unexamined thing left running on the assumption it was fine.

You can’t audit your way out

The instinct, reading this, is to want to understand the systems better — to become the kind of person who’d have caught the bug. That instinct is a trap. There are thousands of these systems beneath an ordinary day: your phone’s operating system, your bank’s servers, your car’s software, the reset tool behind every account you own. You will never read their code. You will never know which one has the flaw that hasn’t surfaced yet.

This is the humbling part, and it’s worth sitting with. You are not above these systems, supervising them. You are inside them, carried by them, dependent on the competence of strangers you’ll never meet, in code you’ll never see. The screen full of green checkmarks isn’t proof the systems are sound. It’s proof you can’t see the one that isn’t.

What you can do is small and specific. You can’t make the systems reliable. You can refuse to bet everything on any one of them being right. The second lock, the backup, the thing that still works when the main thing fails — those are the safeguards in your reach precisely because they don’t assume the system underneath is sound. They’re the move of someone who knows they can’t see the whole machine, and plans for the part that’s hidden to be the part that breaks.

The 20,225 people who lost their accounts weren’t careless. They trusted a system, the way we all must. The ones who kept theirs weren’t clever. They just held that trust a little more loosely — and kept one lock for themselves.

03 · Lab · your turn

Where The Second Lock Goes

Rehearse protecting accounts against a flaw you can't predict, and feel why a backstop you control beats trusting each system to be right.