What the Meta AI Security Bug Was and Who It Hit
The Meta AI security bug was a flaw in Instagram’s AI-assisted account recovery chatbot that let hackers request password reset links to email addresses they controlled, enabling large-scale account takeover attacks without triggering normal security checks for many users who did not have two-factor authentication enabled. Meta’s own filing says the account takeover vulnerability affected 20,225 Instagram users and began on April 17, when attackers started abusing the AI-powered support flow instead of the standard recovery page. The issue only came to light after the hijacking method spread on Telegram and social media, where many people complained that their Instagram account was hacked without warning. According to a US data breach notice, Meta discovered the incident on May 31 and later confirmed that contact details, direct messages, and connected services tied to compromised accounts may have been exposed.
How Hackers Used a Password Reset Exploit to Steal Accounts
Meta’s AI-assisted High Touch Support (HTS) tool was designed to help locked-out users regain access by sending a password reset email to the address on file. Because of a bug in a separate code path, the system failed to verify that the email provided to the chatbot matched the account’s registered email. This opened a password reset exploit: attackers could start recovery from an IP address in the same region as the victim and tell the bot to send the reset link to any email they owned. Once they received the link, they could change the password and take full control of the account if two-factor authentication (2FA) was disabled. Meta says this flaw let “unauthorized third parties receive a password reset link for accounts they did not own,” turning a support feature into a takeover tool.
What Hackers Could Access After an Instagram Account Was Hacked
When this Meta AI security bug was exploited, the impact went far beyond profile pictures and posts. With full login access, attackers could view personal data such as email address, phone number, and date of birth, as well as past and ongoing direct messages. Meta’s disclosures add that connected accounts and linked services, including other platforms or email IDs tied into Instagram, were also at risk. High-profile accounts were not spared: the dormant White House handle from the Obama era, beauty retailer Sephora, and a senior US Space Force official all saw their Instagram account hacked, albeit briefly. For regular users, an account takeover can also lead to scams against followers, brand damage for creators and businesses, and potential exposure of private conversations, making this more than a minor inconvenience.
How Meta Responded and Fixed the Account Takeover Vulnerability
After confirming the account takeover vulnerability, Meta moved to contain the damage. The company disabled the AI-assisted support tool completely, removing the vulnerable code path from production so it could no longer send password reset links to unverified email addresses. It also invalidated password reset links that had been generated through this exploit, cutting off attackers who had not yet used them. In a statement to regulators, Meta said it would fix the broken authentication checks before relaunching the chatbot and is conducting a broader review of similar account recovery flows across its platforms. Meta told PCMag that it has “fixed this issue, secured impacted accounts, and restored individuals’ access” and will formally notify affected users so they can review their settings and strengthen security going forward.
What You Should Do Now to Protect Your Instagram Account
Even though Meta has patched the Meta AI security bug, users should harden their accounts in case attackers gained access or stored stolen data. First, enable two-factor authentication so a password reset exploit alone cannot give someone full control over your profile. Next, check the Login Activity and Devices sections in Instagram’s security settings for unfamiliar sessions and sign out of anything you do not recognize. Review connected apps and linked accounts, revoking access for services you no longer use. If your Instagram account was hacked or behaves strangely—new posts you did not make, changed bio, or missing recovery email—reset your password from the official app or website and avoid using links from messages or DMs. Finally, assume that direct messages and contact information may have been exposed and treat suspicious messages from followers with extra caution.
