alt Hacker NewsMeta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot
Comments
"Meta notified at least 20,225 people that their accounts had been compromised. [...]
The compromises allowed the hackers to take over the person's entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person's posts, direct messages, and account activity [...]
the hacks began around April 17 and lasted until this week [...]"
This is staggering.
Meanwhile an account I created for a new product was permanently disabled by an automated system with no path for me to appeal to a human.
(If anyone at Meta/Instagram sees this I wrote a brief blog post with the details. Please help! https://addisonwebb.com/blog/2026-06-05-Can%20Someone%20at%2... )
This was on hacker news a few days ago (https://news.ycombinator.com/item?id=48359102) - description of the “hack”, not the cockamamie confirmation by Meta.
I'll never understand using AI/bot for customer support. IG is a well know platform. If I have an issue I feel pressed to connect with a support agent about it very likely is something a bot would struggle with, otherwise I'd just google. I understand there some grandmas who can do a google search, but the vast majority of folks reaching out for support are doing so because they have a real issue that can't be simply automated.
Furthermore, having a bot handle a hacked account is support ticket is just insane. Why tf would you put a bot there and give it permission to take action?
Why was 'can a user request a different email' not literally the first test that comes to mind when making something like this? Do they not test anything because the scale is too big?
I really hope this accelerates meta's decline. The world will adapt just fine without social media.
>AI-assisted account recovery system
oh no...Meta what are you doing
Corrected headline: "Meta confirms 1000s of Instagram accounts were hacked due to their insecure AI chatbot".
People were reporting their accounts were being taken over with proper 2fa. Everyone had wondered how they hackers could take over accounts with little information, people were saying "inside job."
This is exactly the stupid explanation I expected. Your privacy and security. Meta. Serious Business.
Has the data surfaced somewhere? A lot of IG accounts are private by choice, and this kind of data, if surfaced publicly, could have devastating privacy violations. People share all kinds of stuff on there, a lot of it not meant for public consumption. I'm not wanting a debate on "well you shouldn't put anything private on Facebook's servers or the internet blah blah blah". I'm just curious if the actual contents of the hack have been surfaced.
And who said cameras linked to Meta in their glasses were a good idea?
I got a suspicious password reset request email today from Meta but it landed in my inbox. Luckily I have MFA and after checking audit logs inside IG upon logging in, I did not see anything suspicious.
You only have to look at both the ridiculiously terrible "Q&A chatbot" that is in FaceBook under some posts (do they still have this?) and the fact that their system can't tell the difference between an inappropriate and a non-inappropriate comment most of the time to understand just how far behind Meta is in AI...
Move fast and break things.
> as well as the ability to access the person's posts, direct messages
god dang!! we are going to see some juicy stuff
Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot
Is there a way to check if I was affected? Does Meta know who was affected?
If this was a bank that had zero humans and the AI chatbot was abused to hand over sensitive information about their customers which led to this disaster, people would never trust their bank ever again and leave.
Meta believes that they can vibe-code their reputation down the drain by removing humans in the loop.
Applying a technical solution to a social problem almost always ends in disasters like this.
Reputation can’t be vibe-coded.
The AI passed the Turing Test by becoming the world's most trusting customer service rep.
I want to hacke one instgram account
Meta is clearly staying true to their ethos. “Move fast and break things”, “ask for forgiveness, not permission”, “have your security researcher delete their own email email by accident and then refuse to learn anything and use that same system to manage user accounts”.
Just.me_samiyy hacked
Where is the security left now?
how on earth a password reset API would take both email address and account id as parameters? The chat bot is fine. I bet it's the API written by AI the issue
"abusing" by using it's built in insecurity to do insecure things.
It's like, people abusing an open door. "Guys, just because we left the door open to your bedroom doesn't mean we're responsible".
God can only hope this is a business ending lawsuit.
Are we winning yet?
Is there a tl;dr? are these people getting their accounts back?
How do business owners hire people from Meta knowing these types of "bugs" get deployed with a shrug? Meta will survive them. Their business might not.
Probably some product manager pushed back on security considerations raised by engineers.
Silicon Valley’s finest
https://www.documentcloud.org/documents/28202858-meta-ai-ag-...
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2...
Just AI Slop doing AI Slop things
Yet another reminder that most of these chatbots get shipped way before they're ready. Loud marketing, security treated as an afterthought, all to ride the AI hype. LLMs open up a whole new attack surface and a lot of teams still treat prompt injection like a fun edge case. This is what happens when you ship the demo instead of the product.
Imagine how much $ ppl could have made hijacking famous accounts to promote crypto or other crap. I wonder how often this happened.
> "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account," said Meta in its breach notice.
I'm not sure "worked properly" and "as intended" accurately describe this situation.