Meta has confirmed that thousands of Instagram accounts were compromised through a vulnerability in its AI chatbot, which hackers exploited to reset passwords on accounts lacking two-factor authentication. The company fixed the bug after months of abuse and is notifying affected users, according to a data breach notification letter obtained by this.weekinsecurity.com.
The flaw allowed attackers to repeatedly trick Meta's AI chatbot into resetting Instagram account passwords without proper verification. This method targeted accounts without two-factor authentication, enabling unauthorized access. Meta's internal investigation revealed the scale of the breach, prompting the company to patch the vulnerability and alert impacted users through official communications.
This incident highlights the risks associated with integrating AI chatbots into account security processes, especially when safeguards like two-factor authentication are absent. The breach underscores the need for robust verification mechanisms in AI-driven customer service tools. Meta's case adds to growing concerns about AI vulnerabilities being exploited for cyberattacks, with Instagram's large user base making such flaws particularly consequential.
Meta's notification letter, dated June 2026, marks the first public disclosure of the breach's extent. The company has since enhanced its AI chatbot's security protocols to prevent similar attacks. Instagram users without two-factor authentication remain at higher risk, emphasizing the importance of enabling additional security measures.