Meta confirms 20,225 Instagram accounts compromised via AI chatbot exploit
The social media giant has disabled the Meta AI chatbot and removed the flawed code path after a campaign that began in April hijacked accounts lacking two-factor authentication.
Meta has confirmed that at least 20,225 Instagram accounts were compromised through an exploit targeting its AI-assisted account recovery system. The vulnerability allowed attackers to manipulate the Meta AI chatbot into issuing password reset links to email addresses controlled by hackers, effectively bypassing verification protocols for accounts that did not have two-factor authentication enabled.
The hacking campaign is believed to have begun around 17 April and was discovered earlier this week, following reports by 404 Media and TechCrunch. A data breach notification letter filed with Maine’s attorney general’s office revealed that Meta notified at least 20,225 individuals of the compromise, including 30 people in Maine. The notice detailed that the breaches allowed attackers to take over entire Instagram accounts and any linked services, gaining access to contact information, dates of birth, profile details, posts, direct messages, and account activity.
According to Meta’s breach notice, the flaw resided in a separate code path within the system. While the chatbot tool itself functioned as intended, the system failed to verify that the email address provided by the requester matched the one associated with the user’s Instagram account. Consequently, when an individual provided an unassociated email address, the system incorrectly sent a password reset link to that address rather than rejecting the request, allowing unauthorised third parties to receive the link for accounts they did not own.
Meta stated it is currently unaware of what personal information, if any, was accessed during the hacks. The company has since disabled the AI chatbot and removed the specific code path that allowed the chatbot to reset user accounts. Additionally, Meta is auditing other chatbots across its platforms to prevent similar incidents from occurring.
Instagram began notifying affected individuals earlier this week by sending password reset notifications. Meta instructed impacted users to reset their passwords and re-authenticate through secure, verified channels. The incident occurs as Meta continues to double down on its artificial intelligence strategy, despite recent layoffs of thousands of employees and stock incentives for top executives.
