Meta acknowledges AI chatbot flaw that led to thousands of Instagram accounts being hacked

A serious security incident was recently confirmed by Meta, where an artificial intelligence (AI) support tool was exploited by cybercriminals, putting thousands of Instagram user accounts at risk of data exposure and unauthorized access.

Which accounts were affected by this security breach?

Approximately 20,000 Instagram accounts were targeted and compromised due to the abuse of an account recovery tool. Remarkably, the list of victims includes high-profile targets such as the Obama-era White House account, the beauty brand Sephora, and Chief Master Sergeant of the US Space Force, John Bentivegna.

Many of the hijacked accounts were subsequently put up for sale on the dark web. Furthermore, some cybercriminals went as far as sharing detailed video tutorials and step-by-step guides demonstrating how to execute this specific attack.

How did cybercriminals exploit this technological flaw?

The incident stemmed from the exploitation of the High Touch Support (HTS) tool, an AI-powered feature designed to assist users in regaining access when locked out of their accounts. Meta detected this malicious activity on May 31.

In essence, the HTS tool itself functioned normally as designed. However, a critical bug within a separate, isolated code stream caused a verification failure. Specifically:

• Attackers initiated a support request with the AI chatbot and provided a new email address that was completely unlinked to the target account.

• Due to the system flaw, the chatbot failed to verify whether the requester's email matched the original email associated with that Instagram account.

• Instead of rejecting the request, the system incorrectly delivered the password reset link to the stranger's unauthorized email address.

What user information is at risk of being exposed?

While Meta has not definitively confirmed whether core stored personal data was accessed, hackers who successfully logged in could potentially view a large volume of sensitive information. This includes profile details, registered email addresses, phone numbers, birth dates, direct messages (DMs), published posts, as well as activity logs and interaction histories on the platform.

What measures has Meta taken to address the situation?

Immediately upon discovering the vulnerability, Meta implemented several emergency measures to mitigate further damage:

• Technical remediation: Completely disabled the compromised HTS tool, stating it will only be reactivated once the flaw is thoroughly patched. Additionally, all faulty password reset links generated by the system bug were immediately invalidated.

• User protection: Forced affected accounts into a mandatory security checkpoint and compelled them to reset their passwords. The company is also actively notifying affected users, advising them to review their security settings and enable 2FA.

• Regulatory reporting: Meta reported the incident to the Maine Attorney General's Office, identifying 20,225 individuals who were potentially affected. However, Amber Hannah, Meta's Associate General Counsel for Incident Response, noted that the actual number of victims might be lower, as the tally includes legitimate users who reset their passwords through the tool without having 2FA enabled.

Solutions to build a “digital shield” for businesses

With deep expertise in digital infrastructure and information security, IPSIP Vietnam provides professional consulting and managed services, helping businesses maintain seamless workflow continuity even when global technology ecosystems experience unexpected technical disruptions.

IPSIP Vietnam's management and monitoring systems have successfully passed the most rigorous audits to achieve top international information security certifications, including ISO 27001:2022 and SOC 2 Type II.

By providing 24/7 non-stop core services - such as the Security Operations Center (SOC), Network Operations Center (NOC), and a dedicated, on-duty IT Support/Helpdesk team - IPSIP commits to directly responding to and intercepting any intrusion attempts, day or night. Partnering with these leading technical minds will help businesses completely eliminate legal and compliance risks, freeing up valuable resources to focus entirely on growth objectives.