Meta has disclosed that a vulnerability in its AI-powered support chatbot for Instagram may have affected up to 20,225 user accounts. The company revealed the number for the first time in a data breach notification filed with the Maine Attorney General's office.
The hacking campaign ran for nearly seven weeks, starting around April 17, 2026, according to the notification. The flaw was discovered on May 31. At least 20,225 accounts were compromised, including 30 accounts belonging to Maine residents.
Breach details
Attackers exploited Meta's AI-powered support chatbot, which was designed to help locked-out users regain access to their accounts. The tool, called "High Touch Support," contained a bug in a separate code path. This bug meant the system never checked whether the email address provided by a user actually belonged to the Instagram account in question.
As a result, hackers were able to send password reset links to any email address without verification. The attackers then used those links to take over the target accounts. Meta called the 20,225 figure an upper bound, noting that some access attempts may have come from legitimate account holders.
The data that was potentially exposed includes contact information, birth dates, posts, direct messages, account activity, profile information, and linked services. Meta stated that it does not know which information was actually viewed by the attackers.
Stay updated
Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.
Thisweekinsecurity first reported on the notification.
Meta's response
As an immediate response, Meta disabled the AI chatbot and removed the faulty code path. The company also invalidated all password reset links that had been generated through the affected system. Affected users were placed into a mandatory security checkpoint and were asked to reset their passwords through verified channels.
Before reactivating the tool, Meta plans to fix the email verification step in the recovery process. The company also intends to audit similar account recovery systems across all of its platforms.
The incident comes at a time when Meta has laid off thousands of employees while betting heavily on artificial intelligence. The AI support chatbot had previously been marketed by Meta as a win for account security.
Related on Neura Market
- AI Tools Directory, browse tools for chatbot support and account recovery
- Automation Marketplace, find workflows for security and user management
- Platform Directory, explore platforms with AI-powered support systems