Meta AI Chatbot Vulnerability Exposed Over 20,000 Instagram Accounts to Hijacking
Meta has disclosed that hackers likely took over 20,225 Instagram accounts by exploiting a vulnerability in the company's AI-powered customer support chatbot. The breach was revealed in a data breach notice filed with the state of Maine.
How the Exploit Worked
The vulnerability resided in a secondary code path related to password reset functionality. Meta's AI support chatbot was designed to help users recover access to their accounts, but a bug in the system failed to properly verify that the email address requesting a password reset matched the address already associated with the targeted Instagram account.
This meant attackers could initiate a password reset for any Instagram account and have the recovery link sent to an email address they controlled—bypassing the need for two-factor authentication or direct access to the original account email.
Company Response
Meta stated that the AI chatbot tool itself "functioned properly and as intended" in its core operations. The company attributed the breach entirely to the bug in the separate verification code path rather than a flaw in the AI system itself.
Affected users were likely notified of the compromise, consistent with standard breach notification requirements. Meta has presumably patched the vulnerability, though the company did not specify when the fix was implemented or when the breach was discovered.
Security Implications
This incident highlights how vulnerabilities in automated support systems can create significant security gaps, even when primary authentication mechanisms are functioning correctly. The scale of the breach—affecting tens of thousands of accounts—demonstrates the potential impact of seemingly minor code path bugs in high-traffic platforms.
Users are encouraged to review connected email addresses, enable two-factor authentication, and monitor account activity for signs of unauthorized access.