Meta Confirms 20,000 Instagram Accounts Breached via AI Support Assistant Flaw
Meta disclosed a security breach affecting over 20,000 Instagram accounts after hackers exploited a vulnerability in its AI-powered support assistant. The incident, which began on April 17 and was discovered on May 31, allowed attackers to bypass email verification during password resets, gaining unauthorized access to accounts.
The flaw stemmed from a bug in a secondary code path that failed to confirm whether the email address provided for a password reset matched the account owner’s. Hackers used VPNs to appear in the same country as their targets, then tricked Meta’s AI assistant into linking their own email addresses to the victims’ accounts. Once linked, the attackers received password reset links, enabling full account takeovers. The attack only succeeded on accounts without two-factor authentication (2FA) enabled.
Among the high-profile accounts compromised were those belonging to the Barack Obama White House, the Chief Master Sergeant of the U.S. Space Force, and Sephora. While Meta stated it is unaware of any personal data being accessed, the breach could have exposed contact details, dates of birth, profile information, direct messages, account history, and linked service data.
Meta responded by disabling the AI support tool, removing the vulnerable code, and invalidating existing password reset links on the day the breach was identified. The company also notified regulators and filed a breach notice with Maine’s attorney general, confirming 20,225 affected individuals. Additionally, Meta is reviewing similar account recovery processes across its platforms to prevent future vulnerabilities.
The incident highlights growing concerns about AI’s role in cyberattacks, as hackers increasingly leverage automated tools to exploit security gaps with minimal human intervention. Meta’s AI support assistant, introduced in March 2024 to streamline account recovery, became an unintended vector for the breach.
SEPHORA cybersecurity rating report: https://www.rankiteo.com/company/sephora
"id": "SEP1780946094",
"linkid": "sephora",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '20,225',
'industry': 'Technology',
'location': 'Global',
'name': 'Instagram (Meta)',
'size': 'Large',
'type': 'Social Media Platform'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Barack Obama White House',
'type': 'Government'},
{'industry': 'Defense',
'location': 'United States',
'name': 'Chief Master Sergeant of the U.S. Space Force',
'type': 'Government/Military'},
{'industry': 'Retail/Cosmetics',
'location': 'Global',
'name': 'Sephora',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of AI-powered support assistant vulnerability',
'customer_advisories': 'Notified affected individuals',
'data_breach': {'data_exfiltration': 'Unknown',
'number_of_records_exposed': '20,225',
'personally_identifiable_information': 'Yes (contact details, '
'dates of birth, '
'profile information)',
'sensitivity_of_data': 'High (PII, direct messages, account '
'history)',
'type_of_data_compromised': 'Personal and account-related '
'data'},
'date_detected': '2024-05-31',
'date_resolved': '2024-05-31',
'description': 'Meta disclosed a security breach affecting over 20,000 '
'Instagram accounts after hackers exploited a vulnerability in '
'its AI-powered support assistant. The flaw allowed attackers '
'to bypass email verification during password resets, gaining '
'unauthorized access to accounts without two-factor '
'authentication (2FA) enabled.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Contact details, dates of birth, profile '
'information, direct messages, account '
'history, linked service data',
'identity_theft_risk': 'Yes',
'operational_impact': 'Account takeovers, potential exposure of '
'sensitive user data',
'systems_affected': 'Instagram accounts'},
'initial_access_broker': {'entry_point': 'AI support assistant vulnerability',
'high_value_targets': 'Yes (government, military, '
'corporate accounts)'},
'investigation_status': 'Completed',
'lessons_learned': 'Growing concerns about AI’s role in cyberattacks, need '
'for robust verification in automated systems, importance '
'of 2FA in preventing account takeovers',
'post_incident_analysis': {'corrective_actions': 'Disabled vulnerable AI '
'tool, removed flawed code, '
'invalidated password reset '
'links, reviewed similar '
'processes',
'root_causes': 'Bug in secondary code path for '
'email verification during password '
'reset, lack of 2FA on affected '
'accounts'},
'recommendations': 'Enable two-factor authentication (2FA), review and secure '
'AI-powered support tools, enhance email verification '
'processes, monitor for unusual account recovery attempts',
'references': [{'source': 'Meta Breach Notice'}],
'regulatory_compliance': {'regulatory_notifications': 'Filed breach notice '
'with Maine’s attorney '
'general'},
'response': {'communication_strategy': 'Filed breach notice with Maine’s '
'attorney general, notified regulators',
'containment_measures': 'Disabled AI support tool, removed '
'vulnerable code, invalidated existing '
'password reset links',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Reviewing similar account recovery '
'processes across platforms'},
'title': 'Meta Confirms 20,000 Instagram Accounts Breached via AI Support '
'Assistant Flaw',
'type': 'Account Takeover',
'vulnerability_exploited': 'Bug in secondary code path failing to confirm '
'email address match during password reset'}