Meta Says AI Chatbot Bug Let Hackers Hijack 20,225 Instagram Accounts
Updated
Updated · The Verge · Jun 8
Meta Says AI Chatbot Bug Let Hackers Hijack 20,225 Instagram Accounts
3 articles · Updated · The Verge · Jun 8
Summary
20,225 Instagram accounts were likely hijacked after attackers exploited Meta’s AI support chatbot to trigger password resets on accounts without two-factor authentication.
A buggy code path failed to verify that the email requesting a reset matched the account’s real email, so the system sent reset links to attacker-controlled addresses instead of rejecting them.
May 31 was when Meta says the attack surfaced, and it says the issue was resolved on June 1 after disabling the AI support tool, removing the flawed code, invalidating reset links and forcing affected accounts through a security checkpoint.
High-profile accounts including Barack Obama’s old White House account, a senior Space Force enlisted leader and Sephora were hit; Meta said 30 affected users were in Maine.
Meta said the 20,225 figure is an upper bound and it is unaware whether personal data was accessed, though compromised accounts could have exposed messages, profile details, phone numbers and connected accounts.