{"slug": "meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai", "title": "Meta confirms thousands of Instagram accounts were hacked by abusing its AI chatbot", "summary": "Meta confirmed that hackers exploited a vulnerability in its AI chatbot to hijack at least 20,225 Instagram accounts, including 30 in Maine, between April 17 and this week. The attackers tricked the chatbot into sending password reset links to their own email addresses, allowing them to take over accounts and access personal data, direct messages, and linked accounts. Meta said the bug has been fixed and is notifying affected users.", "body_md": "# Meta confirms thousands of Instagram accounts were hacked by abusing its AI chatbot\n\nMeta is notifying thousands of people whose Instagram accounts were hijacked during the months-long abuse of the company's AI chatbot, which hackers repeatedly tricked into taking control of a person's account.\n\nIn a [ new data breach notification letter](https://www.documentcloud.org/documents/28202858-meta-ai-ag-maine/), seen by\n\n[, Meta has revealed for the first time how many people had their accounts hijacked as part of the long-running hacking campaign, which was discovered earlier this week and](https://this.weekinsecurity.com/)\n\n__this week in security__[and](https://www.404media.co/hackers-simply-asked-meta-ai-to-give-them-access-to-high-profile-instagram-accounts-it-worked/)\n\n__first reported by 404 Media ($)__[. The number of affected accounts gives some clarity as to how widespread this hacking campaign was, and for how long it operated.](https://techcrunch.com/2026/06/01/hackers-hijacked-instagram-accounts-by-tricking-meta-ai-support-chatbot-into-granting-access/)\n\n__TechCrunch ($)__According to the [ data breach notice](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/686120c8-63be-4e3c-b7ed-466d65b672f5.html?771b4d4d7bf3fcb5991d9fc49a27d085) filed with Maine's attorney general's office late on Friday, Meta notified at least 20,225 people that their accounts had been compromised, including 30 people in Maine.\n\nThe compromises allowed the hackers to take over the person's entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person's posts, direct messages, and account activity, the notice reads.\n\nMeta's notice confirmed that the breach relates to \"a vulnerability in an AI-assisted account recovery system for Instagram,\" which was exploited to \"perform password resets on Instagram user accounts.\"\n\nAs previously reported, hackers abused a flaw in Meta's chatbot that allowed anyone to reset the password of any account that did not have two-factor authentication switched on. The bug tricked the chatbot into sending a verification code to an email address controlled by the hacker, rather than the account holder's email address on file, simply by asking it. The chatbot complied anyway.\n\n\"The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,\" said Meta in its breach notice.\n\n\"As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own,\" the company added.\n\nAt this point, Meta says, the hackers could reset someone's password and take over their account as if they were the rightful owner.\n\n[~this week in security~](https://this.weekinsecurity.com/) is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a\n\n[for exclusive articles, analysis, and more.](https://this.weekinsecurity.com/#/portal/signup)\n\n**paying subscription starting at $10/month** Or, you can [submit a one-time tip](https://this.weekinsecurity.com/#/portal/support) to show your support!\n\n[Subscribe to access premium blogs](https://this.weekinsecurity.com/#/portal/signup)\n\nMeta said that it is \"unaware\" of what, if any, personal information was accessed during the hacks. (An email to Meta's press line asking for clarity on this was unreturned as of early Saturday.)\n\nAccording to Maine's listing, the hacks began around April 17 and lasted until this week, when Meta said that it had secured the chatbot. Instagram reportedly started notifying affected individuals earlier this week by sending a password reset notification, even as [ some reported that the hacks were ongoing](https://techcrunch.com/2026/06/03/instagram-is-alerting-users-who-were-targeted-by-hackers-during-ai-chatbot-attacks/).\n\nMeta also confirmed in the notice that it alerted users to secure their accounts, saying it \"instructed impacted users to reset their passwords and re-authenticate through secure, verified channels.\"\n\nMeta said that it has disabled the AI chatbot for now and removed the code path that allowed the chatbot to reset user accounts, and said it's also checking other chatbots across its platforms to prevent a repeat incident. It's not yet clear what circumstances led up to the chatbot being abused, but comes soon after Meta laid off [ thousands of employees](https://www.cnbc.com/2026/05/18/metas-layoffs-starting-this-week-underscore-zuckerbergs-ai-reality-.html) while\n\n[, as the company continues to double-down on AI.](https://www.nytimes.com/2026/03/25/technology/meta-layoffs-ai-executives.html)\n\n__rewarding top executives with stock incentives__*Thank you so much for reading ~this week in security~. If you liked this article, please **share** it! Feel free to reach out with any feedback, questions, or comments about this article: *[ this@weekinsecurity.com](mailto:this@weekinsecurity.com).", "url": "https://wpnews.pro/news/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai", "canonical_source": "https://this.weekinsecurity.com/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai-chatbot/", "published_at": "2026-06-06 11:51:06+00:00", "updated_at": "2026-06-06 12:17:23.087998+00:00", "lang": "en", "topics": ["ai-safety", "ai-policy", "ai-products", "ai-agents", "generative-ai"], "entities": ["Meta", "Instagram", "404 Media", "TechCrunch", "Maine attorney general's office"], "alternates": {"html": "https://wpnews.pro/news/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai", "markdown": "https://wpnews.pro/news/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai.md", "text": "https://wpnews.pro/news/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai.txt", "jsonld": "https://wpnews.pro/news/meta-confirms-thousands-of-instagram-accounts-were-hacked-by-abusing-its-ai.jsonld"}}