Hackers likely took over 20,225 Instagram accounts using Meta’s AI support chatbot, the company confirmed in a notice filed with the state of Maine. In the notice, spotted earlier by Bleeping Computer, Meta blames a “bug” for the exploit that allowed attackers to hijack accounts without two-factor authentication simply by asking the chatbot for a password reset:
Hackers likely hijacked over 20,000 Instagram accounts with Meta’s AI chatbot
Meta blames a bug on an exploit that allowed hackers to ask its AI support bot to link a victim’s account with their own email.
Meta blames a bug on an exploit that allowed hackers to ask its AI support bot to link a victim’s account with their own email.
Image: Meta
is a news writer who covers the streaming wars, consumer tech, crypto, social media, and much more. Previously, she was a writer and editor at MUO.
The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own.
Meta says the attack first surfaced on May 31st, with Meta communications head Andy Stone saying the company “resolved” the incident on June 1st. During this time, several high-profile Instagram accounts were impacted, including former President Barack Obama’s old White House account, US Space Force Chief Master Sergeant John F. Bentivegna, and Sephora. In the notice, Meta adds that it’s “unaware” of whether any personal data was accessed as a result of the exploit, but notes that account hijackers could’ve obtained email addresses, phone numbers, birthdates, social media posts, direct messages, profile information, account activity, and connected accounts.
The notice says 30 of the impacted users lived in Maine. The number refers to “users who had their passwords reset through the support tool, did not have 2FA enabled on their account and whose Instagram accounts were likely accessed by an unauthorized party” — though Meta says it’s an “upper bound,” as some of these accounts may have been accessed legitimately.
The company notes that it disabled its AI support tool and removed the buggy code path, while invalidating any password reset links generated using the exploit. It also enrolled all potentially impacted accounts “into a mandatory security checkpoint requiring authentication before any account access.”
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Most Popular
Most Popular
- Microsoft’s Xbox 25th anniversary console comes in translucent green
- Dell’s new XPS 14 is better in almost every way
- The Virtual OS Museum lets you relive over 600 operating systems right on your desktop
- Xbox Games Showcase 2026: All the news and trailers
- The 7 biggest storylines from Summer Game Fest 2026
