Meta’s AI support chatbot had a serious bug that allowed hackers to take over more than 20,000 Instagram accounts. If you use Instagram, here’s what happened and what you need to do right now to stay safe.
What happened to Instagram accounts
The attack first surfaced on May 31st, 2026, and Meta resolved the incident on June 1st. Hackers exploited a flaw in Meta’s AI chatbot that helps users reset forgotten passwords. The system did not properly verify that the email address requesting a password reset matched the email address associated with the Instagram account, incorrectly sending reset links to unassociated email addresses.
This sounds small, but it’s huge: a hacker could ask the chatbot to reset your Instagram password and send the reset link to their own email address instead of yours. Then they could log in as you.
Meta confirmed that 20,225 accounts were hijacked this way. Several high-profile accounts were hit, including former President Barack Obama’s old White House account, US Space Force Chief Master Sergeant John F. Bentivegna, and Sephora. In Maine alone, 30 people were affected.
How serious is this for you
The hackers only succeeded if your account didn’t have two-factor authentication (2FA) turned on. Two-factor authentication means you need a second form of proof (like a code from your phone) to log in, even if someone has your password. If you had 2FA enabled, you were protected.
Meta says it doesn’t know if hackers actually accessed anyone’s personal data, but they could have. If they got into your account, they could see your email, phone number, birthdate, posts, direct messages, profile info, and any accounts linked to yours.
The good news: Meta disabled the buggy chatbot feature and invalidated all the fake reset links on June 1st. Anyone whose account was likely compromised has been automatically moved to a security checkpoint requiring extra authentication.
What to do right now
- Turn on two-factor authentication immediately. On Instagram, go to Settings, select Security, tap Two-Factor Authentication, and choose your method (text message or an authenticator app). This is your best defence.
- Change your Instagram password to something new and strong (mix uppercase, lowercase, numbers, and symbols).
- Check your login activity. In Settings, go to Security and look at “Login Activity” to see if anyone else accessed your account recently.
- Review connected accounts. If you’ve linked your Instagram to other services (Facebook, your email provider, etc.), check those are still secure.
- Watch for phishing emails. Don’t click suspicious links claiming to be from Instagram or Meta right now. Scammers may try to exploit this news to trick you.
The bigger picture
This is a reminder that even big tech companies like Meta make mistakes. The bug wasn’t a hack of Meta’s systems; it was a coding error that slipped through. But it affected tens of thousands of people in just two days before Meta caught it.
If you use any online service, especially ones tied to money or personal information, two-factor authentication is non-negotiable. It’s the single most effective thing you can do to protect yourself.
Bottom line: If you use Instagram, turn on two-factor authentication today. Change your password. Check your login activity. These three steps will protect you from this kind of attack.
Leave a Reply