Research / T-2026-4674

Meta confirms 20,000-plus Instagram accounts hacked by abusing its AI chatbot

Q: Meta confirms 20,000-plus Instagram accounts hacked by abusing its AI chatbot — key point 1

Over 20,000 Instagram accounts were hijacked by asking Meta's AI chatbot to reset passwords, which sent reset links to attacker-controlled emails without verifying ownership.

Q: Meta confirms 20,000-plus Instagram accounts hacked by abusing its AI chatbot — key point 2

The bug was in the infrastructure handling password resets, not the chatbot itself; Meta failed to build a verification gate between the AI and account recovery systems.

Q: Meta confirms 20,000-plus Instagram accounts hacked by abusing its AI chatbot — key point 3

Accounts without two-factor authentication were vulnerable; Meta disabled the chatbot and is reviewing other chatbots to prevent similar incidents.

Meta confirms 20,225 Instagram accounts were hijacked by abusing its AI chatbot. The bug let attackers reset passwords without proper email verification.

Tessera Newsroom · 5 min read · June 7, 2026

Source Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot (this.weekinsecurity.com)

FIGURE T-2026-4674

20,000 RESEARCH

Meta confirmed that more than 20,000 Instagram accounts were hijacked in a months-long campaign that abused the company’s own AI chatbot. The attacker simply asked the chatbot to reset a password, and the chatbot complied — sending the reset link to an email address the attacker controlled, not the account holder’s.

The disclosure, filed with Maine’s attorney general’s office and reported by this week in security, puts a number on a vulnerability that security researchers and journalists had been tracking for weeks. Meta says 20,225 people were notified that their accounts were compromised, including 30 in Maine. The breach notice states the hacks began around April 17 and continued until this week, when Meta says it secured the chatbot.

The mechanism is almost absurdly simple. Meta’s AI-assisted account recovery system, which the company built to help users regain access to locked accounts, had a bug in a “separate code path.” The chatbot itself worked as designed. But when a user asked it to reset a password, the system did not verify that the email address provided matched the one on file for the account. Instead, it sent the password reset link to whatever email the requester supplied.

“As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request,” Meta said in its breach notice.

The attacker then used that link to set a new password, log in, and take full control of the account. From there, they could access posts, direct messages, contact information, and any linked accounts. Meta says it is “unaware” of what personal information was accessed during the hacks.

The only protection was two-factor authentication. Accounts without 2FA enabled were vulnerable. Accounts with 2FA were not affected, because the password reset process still required the second factor.

What the bug actually was

This is not a case of an AI model hallucinating or being jailbroken to bypass a safety filter. The chatbot did exactly what it was asked to do. The failure was in the surrounding infrastructure — the code that handles the password reset request before it reaches the chatbot, or the code that validates the response after the chatbot generates it.

Meta described it as “a bug in a separate code path.” That phrasing matters. The chatbot itself was not the problem. The problem was that Meta connected a conversational AI to a high-stakes account recovery flow without building a verification gate between them. The chatbot could trigger a password reset, and the system trusted the chatbot’s output without checking it against the account’s registered email.

This is a design failure, not a model failure. It is the kind of mistake that happens when a company rushes to surface AI features without auditing the privilege boundaries around them.

The scale and the silence

Twenty thousand confirmed hijackings is a large number for a single vulnerability class, but it is almost certainly an undercount. The breach notice only covers accounts where Meta could confirm the compromise. The campaign may have operated for longer than the April-to-June window Meta cites. And the notice only covers U.S. accounts, since it was filed with Maine’s attorney general under state breach notification law.

Meta says it has disabled the AI chatbot for now and removed the code path that allowed it to reset accounts. The company also says it is checking other chatbots across its platforms to prevent a repeat incident. That is the right response, but it raises a question: why was this not caught in testing?

The vulnerability is straightforward. A chatbot that can trigger a password reset should verify that the requesting user owns the account. That is a basic security invariant. Meta’s own description of the bug — “the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account” — reads like a textbook example of what not to do when connecting a generative AI to an authentication system.

What this means for AI builders

The Instagram hack is a warning for every company building AI-powered customer support or account recovery tools. The temptation is to give the chatbot access to backend systems so it can actually solve problems. But every capability you grant the chatbot becomes a capability an attacker can exploit by simply asking the right question.

The standard defense is to treat the chatbot as an untrusted actor. Never let it directly trigger sensitive operations like password resets, payment changes, or data exports. Instead, have the chatbot generate a request that goes through a human review queue or a separate verification system. That adds latency, but it also adds a layer of protection that cannot be bypassed by social engineering the AI.

Meta’s bug also highlights the risk of deploying AI features during layoffs. The company laid off thousands of employees while rewarding top executives with stock incentives, as the breach notice notes. A leaner team means fewer people reviewing edge cases, fewer people running red-team exercises on new features, and fewer people catching bugs like this before they hit production.

The chatbot is now disabled. The accounts are being secured. But the incident is a concrete example of a pattern that will repeat as more companies connect generative AI to sensitive infrastructure. The question is not whether the AI will make mistakes. The question is whether the systems around it are designed to catch them.

Twenty thousand hijacked accounts is the answer for Meta. Other companies should ask the same question before they ship.

Tessera Newsroom

Editorial

Masthead Contact

T-REL / RESEARCH

General Instinct shrinks a 245 GB model to fit on a single GPU

YC P26 startup General Instinct open-sources InstinctRazor, compressing a 245 GB MoE model into 48 GiB while beating Google's Gemma-4-26B on MMLU-Pro and GPQA-D.

Tessera Newsroom · June 6, 2026

Research / T-2026-6217

Anthropic's internal data shows AI is closing the loop on its own development

Anthropic releases internal data on recursive self-improvement. Engineers ship 8x more code. Claude writes 80% of merged code. The path to autonomous AI development is visible.

Tessera Newsroom · June 5, 2026

Research / T-2026-1742

Anthropic details how it contains Claude across three products

Anthropic's engineering blog on containing Claude across claude.ai, Claude Code, and Cowork reveals the tradeoffs between capability and blast radius.

Tessera Newsroom · June 4, 2026