Instagram AI chat breach may have affected more than 20,000 accounts

Meta disclosed a security incident in its AI support chatbot integrated with Instagram. The flaw allowed password reset links to be sent to arbitrary, unverified email addresses. The issue remained active for nearly seven weeks and affected at least 20,225 accounts.

What was the flaw?

The vulnerability was found in the AI chatbot that was supposed to help users manage their accounts and improve security. Instead, a logic error allowed normal verification procedures to be bypassed. As a result, a third party could request a password reset link for any account and have it sent to an email address of their choosing, without proving ownership of that account. That created a potential path to account takeover.

Scale of the issue and risk for users

According to Meta's official disclosure, at least 20,225 Instagram accounts were affected. The flaw was active for nearly seven weeks, which increases the chance that it was exploited. This is a serious privacy and security issue because an Instagram account takeover can lead to identity theft, financial scams, or distribution of malicious software. The fact that Meta had previously promoted the chatbot as a security-enhancing tool makes the incident even more damaging for trust in AI-based support systems.

Response and recommendations

Meta said it identified and fixed the vulnerability. The company did not provide detailed information about whether the affected data was actually abused. Instagram users should stay alert, enable two-factor authentication, and monitor account activity regularly. The incident is another reminder that AI-based systems need strong testing and security review before they are deployed at scale.

Source: The Decoder