Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot
Points and comments are a snapshot, not live.
Meta confirms 20,225 Instagram accounts were hijacked via a bug in its AI chatbot's password reset system.
Between April 17 and early June 2026, hackers exploited a vulnerability in Meta's AI-assisted account recovery chatbot to reset passwords on Instagram accounts lacking two-factor authentication. The chatbot would send password reset links to email addresses provided by attackers, rather than the account owner's registered email, due to a bug in a separate verification code path. This allowed unauthorized access to full account control, contact information, dates of birth, posts, direct messages, and activity logs. Meta notified at least 20,225 affected users, including 30 in Maine. The company has since disabled the chatbot and removed the vulnerable code path, while instructing users to reset passwords and check other platforms for similar issues.
What commenters are saying
The top thread consensus challenges Meta's framing that "the tool worked as intended." Commenters note the absurdity of this claim when a core security function failed: the backend verification layer should never have accepted an unregistered email address. A secondary discussion examines whether LLMs are genuinely worse at enforcing permissions than human support staff. One commenter argues the real issue is architectural: permissions should be enforced at the backend API level, not delegated to the agent. Another observes that humans trained in security would likely catch social engineering attempts more reliably than the chatbot did at scale.