Meta AI bug allowed hackers to hijack 20,000 Instagram accounts

The security lapse occurred between May 31 and June 1, according to filings submitted to the state of Maine. Meta identified that while the AI chatbot functioned as intended, a secondary code path failed to verify that the email address provided in a reset request matched the one linked to the target account. This oversight allowed anyone to trigger a password reset for an account they did not own, effectively stripping users of their access. Meta communications head Andy Stone confirmed the company resolved the issue within a day of its discovery.

The breach compromised several prominent accounts, including those belonging to the former White House, US Space Force Chief Master Sergeant John F. Bentivegna, and Sephora. While Meta stated it remains unaware of whether attackers actively accessed private data, the scope of the exploit provided intruders with potential access to sensitive information. This includes phone numbers, birthdates, private direct messages, and historical account activity. Although the company is notifying affected users, the incident highlights significant vulnerabilities in automated recovery systems that prioritize convenience over strict identity verification.