Instagram AI chatbot breach may have affected over to 20,000 accounts, Meta discloses

In an official data breach notification, Meta has for the first time put a number on the scope of the already-known vulnerability in its AI support chatbot. The hacking campaign ran for nearly seven weeks.

Meta has released a data breach notification to the Maine Attorney General's office with the first concrete numbers on the hacking campaign targeting Instagram accounts. At least 20,225 accounts were compromised, including 30 in Maine.

Hackers exploited Meta's AI-powered support chatbot for Instagram for months to take over other people's accounts. The chatbot, an account recovery tool called "High Touch Support," was designed to help locked-out users regain access. But a bug in a separate code path meant the system never checked whether the email address provided actually belonged to the Instagram account in question.

According to the notification, the attacks started around April 17, 2026, and weren't discovered until May 31. The attackers exploited the already-known flaw in the AI-powered "High Touch Support" recovery system, which sent password reset links to any email address without verifying it belonged to the account.

Meta calls the 20,225 figure an upper bound, since some access attempts may have come from legitimate account holders. The data that was potentially accessible includes contact info, birth dates, posts, direct messages, account activity, profile information, and linked services, according to Meta. The company says it doesn't know which information was actually viewed. Thisweekinsecurity first reported on the notification.