Meta disclosed that over 20,225 Instagram accounts were hijacked by exploiting a vulnerability in its AI-assisted account recovery chatbot from mid-April to early June 2026 [1, 2, 3]. Hackers tricked the chatbot into sending password reset links to email addresses they controlled, bypassing two-factor authentication (2FA) on affected accounts [1, 2, 3]. Only accounts without 2FA enabled were at risk [1, 2, 3].
The campaign started on April 17, 2026, and lasted nearly seven weeks until Meta detected it on May 31, 2026 [2, 3]. Meta disabled the vulnerable AI chatbot and removed the buggy code on June 1, 2026, effectively resolving the incident, according to company communications head Andy Stone [2, 3]. The company also invalidated all password reset links generated by the exploit and introduced additional security verification steps [2, 3].
Hackers gained full control of victims’ accounts, accessing contact details, birthdates, posts, direct messages, and connected accounts [1, 2, 3]. Notably, some high-profile hacked accounts included former US President Barack Obama’s Instagram archive and US Space Force Chief Master Sergeant John F. Bentivegna’s official account [2, 3].
Hackers reportedly used VPNs to spoof victims’ geographic locations, helping them bypass Instagram’s regional automated protections [3]. Meta filed a data breach notification with the Maine Attorney General on June 5, stating that 30 of the affected users were located in Maine, USA [1].
Meta explained the exploit occurred because a bug in separate code allowed the system to send password reset links to unassociated email addresses instead of rejecting those requests. "This allowed unauthorized third parties to receive a password reset link for accounts they did not own," Meta said [2].
Meta considers the figure of 20,225 hijacked accounts an upper bound, as some accesses may have been legitimate [2]. The company continues to monitor for any remaining issues and has urged users to enable two-factor authentication for added protection.
