Meta fixes Instagram AI bug that let hackers hijack accounts

A flaw in Meta’s AI support assistant gave attackers a direct path into Instagram accounts by changing recovery emails and resetting passwords, and Meta said it has now fixed the problem. The breach exposed a new risk in everyday AI products: when a chatbot is given too much authority over security settings, it can become a takeover tool.

Meta had rolled out the assistant globally on March 19, 2026, positioning it as 24/7 help for Facebook and Instagram account issues, including password updates and profile changes. Security writers described the abuse as a prompt-injection or logic-flaw attack, in which the chatbot was manipulated into changing a target account’s recovery email to an attacker-controlled address, sending a verification code there, and then allowing the password to be reset without taking over the victim’s original email account. In some cases, the attack reportedly worked even on accounts protected by two-factor authentication.

The first public warnings surfaced on May 31 and June 1, when users on Reddit and X said their accounts had been compromised. A video circulating online appeared to show the exploit in action, reinforcing concerns that the flaw was not theoretical. Among the accounts reportedly affected were the dormant Obama-era White House Instagram account, U.S. Space Force chief master sergeant John Bentivegna’s account and Sephora’s account, showing that the weakness could reach well beyond ordinary consumer profiles.

Instagram spokesperson Andy Stone said on June 1 that the issue was fixed, and Meta said it was securing affected accounts. But the scale of the incident kept expanding as breach notices and follow-up reporting suggested the problem was larger than first understood. A Maine breach notice said more than 20,000 Instagram accounts were affected. One report put the number at 20,225 accounts compromised between April 17 and early June 2026, while another said more than 34,000 accounts became vulnerable.

The episode is a sharp reminder that AI tools are increasingly being asked to handle sensitive tasks once reserved for tightly controlled support staff. For users, the practical lesson is to check recovery email settings, confirm password and two-factor authentication protections, and watch closely for any unexpected account-recovery changes.