How did Meta hackers take over Instagram accounts?
Meta AI chatbot bug enabled Instagram account takeovers
Meta disclosed a security incident tied to its AI-powered support assistant that ultimately enabled hackers to take over large numbers of Instagram accounts. The mechanism, according to Meta’s notice, centered on weaknesses in the account recovery flow used by attackers.
What attackers did
Meta says hackers exploited a flaw that allowed them to gain access to accounts by triggering password-recovery behavior associated with email addresses. In the broader reporting, the risk extended to account holders’ personal data exposed through the takeover process—such as email addresses, phone numbers, and birth dates.
Scale of impact
The reported impact is large: more than 20,000 Instagram accounts were affected, including thousands changed through a recovery-related process. Meta also described that the issue enabled attackers to breach accounts at scale rather than through a single targeted exploit.
What was fixed
Meta said it addressed the problem, including by disabling or removing the vulnerable functionality. The event also prompted additional actions by security researchers and responders as they worked to identify affected accounts and lock down recovery paths.
Why it matters
Account recovery is one of the most security-sensitive parts of consumer platforms. A recovery flaw can turn “forgot password” into an attack surface: instead of breaching credentials directly, attackers can reposition around verification steps.
For users, the practical implications are straightforward: review account security, change passwords where appropriate, and enable strong authentication. For Meta, the incident underscores that even features introduced as support tooling—like AI-assisted help—can accidentally reach parts of the system that are high-value to attackers.
Bottom line
A flaw linked to Meta’s AI support assistant and Instagram account recovery logic enabled mass takeovers, affecting over 20,000 accounts, and exposing personal data during the breach chain. The company moved to mitigate the issue after discovery.