More than 20,000 Instagram users may have been affected by an account takeover campaign that allowed attackers to seize profiles, lock out legitimate owners, and gain control of valuable usernames.
The incidents came to light after users reported losing access to their accounts without warning. Victims said attackers quickly changed account recovery information, preventing them from regaining control once the takeover was complete.
The campaign reportedly targeted a wide range of accounts, including businesses, public figures, organizations, and owners of rare or highly sought-after usernames. Some compromised accounts were later advertised for sale through Telegram channels, while others were stripped of valuable usernames that could be transferred or resold.
Several prominent accounts were reportedly affected. Reuters identified accounts associated with Sephora, the Obama White House Instagram account, and U.S. Space Force Chief Master Sergeant John Bentivegna among those targeted.
Victims described a rapid process in which account settings were modified before they had an opportunity to respond. Some users reported losing access despite having additional security measures enabled on their accounts.
Researchers said the attackers exploited a weakness in Meta’s account recovery process, allowing them to change recovery information tied to targeted accounts. Once those details were altered, attackers could reset passwords and assume control of the profiles.
The takeover campaign appears to have focused heavily on accounts with desirable usernames, which can command significant value in underground markets. Researchers said compromised accounts and usernames were traded through online communities dedicated to buying and selling social media assets.
The scale of the campaign raised concerns because it allegedly affected thousands of users before the underlying issue was addressed. Reports indicate that attackers were able to repeatedly use the same method against multiple targets over a relatively short period.
Meta acknowledged the issue and said it has fixed the vulnerability that enabled the account takeovers. The company also said it is working with affected users to restore access to compromised accounts.
The company has not publicly disclosed the total number of affected users. However, researchers tracking the campaign estimate that more than 20,000 Instagram accounts may have been impacted before the flaw was patched.