A bug in Meta’s AI support chatbot reportedly enabled hackers to hijack more than 20,000 Instagram accounts, including several high-profile profiles, before the flaw was patched
A few days back, hackers reportedly took over close to 20,255 Instagram accounts by persuading their way through Meta’s AI-powered support chatbot. Meta confirmed the incident in a notice filed with the state of Maine. In the notice, first spotted by Bleeping Computer, the company blamed a “bug” for the exploit that allowed attackers to hijack accounts protected by two-factor authentication simply by requesting password resets.
Meta said the attack was first detected on May 31, and Communications Head Andy Stone later confirmed that the issue was resolved on June 1. Several high-profile Instagram accounts were impacted during the incident, including former President Barack Obama’s archived White House account, US Space Force Chief Master Sergeant John F. Bentivegna, and beauty retailer Sephora.
In the notice, Meta said it is unaware of any confirmed access to personal data as a result of the exploit. However, the company acknowledged that attackers may have been able to obtain information such as email addresses, phone numbers, birth dates, social media posts, direct messages, profile details, account activity, and information from connected accounts.
According to the filing, 30 of the affected users were residents of Maine. Meta clarified that this figure represents users whose passwords were reset through the support tool, who did not have two-factor authentication enabled, and whose Instagram accounts were likely accessed by an unauthorised party. The company noted that the number should be viewed as an upper-bound estimate, as some of the account access may have been legitimate.
In response, Meta disabled the AI support tool responsible for the issue, removed the faulty code path, and invalidated all password reset links generated through the exploit. The company also placed potentially affected accounts under a mandatory security review process, requiring users to verify their identities before regaining access.
First Published:
June 08, 2026, 22:27 IST
End of Article
Click Here For The Original Source.
