Meta Confirms 20,000+ Instagram Accounts Hijacked Through AI Chatbot Vulnerability

Summary

Meta disclosed a major security breach affecting at least 20,225 Instagram users whose accounts were hijacked through exploitation of a vulnerability in the company's AI-assisted account recovery chatbot. The breach occurred between mid-April and this week, when hackers repeatedly tricked the chatbot into resetting account passwords and sending verification codes to attacker-controlled email addresses. The vulnerability exploited a flaw in the system's email verification logic during password reset requests, allowing unauthorized access to account information, direct messages, posts, and account activity.

The compromised accounts lacked two-factor authentication protection, making them vulnerable to the exploit. Meta confirmed in a data breach notification filed with Maine's attorney general that the chatbot had a code path bug that failed to verify email addresses properly during password resets. When hackers provided an attacker-controlled email address, the system incorrectly sent password reset links to that email rather than rejecting the request or sending it to the account holder's registered address. Meta has since disabled the vulnerable chatbot, removed the problematic code path, and begun notifying affected users to reset their passwords and secure their accounts.

• Meta has disabled the vulnerable chatbot and is reviewing other chatbots across its platforms to prevent similar security incidents
• The breach highlights the security risks of deploying AI systems to handle sensitive account recovery and authentication functions