Meta has disclosed a data breach that may have compromised up to 20,225 Instagram accounts, including 30 in Maine, due to a flaw in its AI-powered support chatbot. The breach, which Meta described as an upper bound, was linked to a buggy recovery tool that allowed hackers to send password reset links to arbitrary email addresses without verification. The company said it disabled the chatbot and invalidated the links to protect affected users. The breach was first reported by Thisweekinsecurity, which cited a data breach notification from Meta.
The incident, which ran for nearly seven weeks, began around April 17, 2026, and was discovered on May 31. Hackers exploited a known vulnerability in the AI-powered 'High Touch Support' recovery system, which was designed to help users regain access to locked-out accounts. A bug in a separate code path meant the system never checked whether the email address provided actually belonged to the affected Instagram account. As a result, attackers were able to take over accounts by sending password reset links to any email address.
Meta said it does not know which information was accessed during the breach, but the data potentially available included contact info, birth dates, posts, direct messages, account activity, profile information, and linked services. The company has also announced plans to fix the email verification step in the recovery process and audit similar systems across all its platforms. The incident comes amid Meta's ongoing efforts to bolster its AI initiatives despite recent layoffs. Source: thedecoder
