Hacker news

Top
New
Past
Ask
Show
Jobs

Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot (https://this.weekinsecurity.com)

666 points by speckx about 23 hours ago | 238 comments | View on ycombinator

Cyan488 about 23 hours ago |

> "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account," said Meta in its breach notice.

I'm not sure "worked properly" and "as intended" accurately describe this situation.

johnyzee about 20 hours ago |

"Meta notified at least 20,225 people that their accounts had been compromised. [...]
The compromises allowed the hackers to take over the person's entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person's posts, direct messages, and account activity [...]

the hacks began around April 17 and lasted until this week [...]"

This is staggering.

webbdev about 21 hours ago |

Meanwhile an account I created for a new product was permanently disabled by an automated system with no path for me to appeal to a human.

(If anyone at Meta/Instagram sees this I wrote a brief blog post with the details. Please help! https://addisonwebb.com/blog/2026-06-05-Can%20Someone%20at%2... )

loloquwowndueo about 23 hours ago |

This was on hacker news a few days ago (https://news.ycombinator.com/item?id=48359102) - description of the “hack”, not the cockamamie confirmation by Meta.

the_black_hand about 13 hours ago |

I'll never understand using AI/bot for customer support. IG is a well know platform. If I have an issue I feel pressed to connect with a support agent about it very likely is something a bot would struggle with, otherwise I'd just google. I understand there some grandmas who can do a google search, but the vast majority of folks reaching out for support are doing so because they have a real issue that can't be simply automated.

Furthermore, having a bot handle a hacked account is support ticket is just insane. Why tf would you put a bot there and give it permission to take action?

jhhh about 22 hours ago |

Why was 'can a user request a different email' not literally the first test that comes to mind when making something like this? Do they not test anything because the scale is too big?

dwa3592 about 21 hours ago |

I really hope this accelerates meta's decline. The world will adapt just fine without social media.

Havoc about 21 hours ago |

>AI-assisted account recovery system

oh no...Meta what are you doing

phyzome about 22 hours ago |

Corrected headline: "Meta confirms 1000s of Instagram accounts were hacked due to their insecure AI chatbot".

hero4hire about 17 hours ago |

People were reporting their accounts were being taken over with proper 2fa. Everyone had wondered how they hackers could take over accounts with little information, people were saying "inside job."

This is exactly the stupid explanation I expected. Your privacy and security. Meta. Serious Business.

thraway3837 about 15 hours ago |

Has the data surfaced somewhere? A lot of IG accounts are private by choice, and this kind of data, if surfaced publicly, could have devastating privacy violations. People share all kinds of stuff on there, a lot of it not meant for public consumption. I'm not wanting a debate on "well you shouldn't put anything private on Facebook's servers or the internet blah blah blah". I'm just curious if the actual contents of the hack have been surfaced.

zahirbmirza about 21 hours ago |

And who said cameras linked to Meta in their glasses were a good idea?

whirlwin about 21 hours ago |

I got a suspicious password reset request email today from Meta but it landed in my inbox. Luckily I have MFA and after checking audit logs inside IG upon logging in, I did not see anything suspicious.

undefined about 16 hours ago |

undefined

dansquizsoft about 20 hours ago |

You only have to look at both the ridiculiously terrible "Q&A chatbot" that is in FaceBook under some posts (do they still have this?) and the fact that their system can't tell the difference between an inappropriate and a non-inappropriate comment most of the time to understand just how far behind Meta is in AI...

tomashertus about 18 hours ago |

Move fast and break things.

zuzululu about 15 hours ago |

> as well as the ability to access the person's posts, direct messages

god dang!! we are going to see some juicy stuff

hayaan25929 about 7 hours ago |

Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot

boppo1 about 14 hours ago |

Is there a way to check if I was affected? Does Meta know who was affected?

rvz about 22 hours ago |

If this was a bank that had zero humans and the AI chatbot was abused to hand over sensitive information about their customers which led to this disaster, people would never trust their bank ever again and leave.

Meta believes that they can vibe-code their reputation down the drain by removing humans in the loop.

Applying a technical solution to a social problem almost always ends in disasters like this.

Reputation can’t be vibe-coded.

RgrTheShrubbr about 18 hours ago |

The AI passed the Turing Test by becoming the world's most trusting customer service rep.

naik11 about 3 hours ago |

I want to hacke one instgram account

latexr about 7 hours ago |

Meta is clearly staying true to their ethos. “Move fast and break things”, “ask for forgiveness, not permission”, “have your security researcher delete their own email email by accident and then refuse to learn anything and use that same system to manage user accounts”.

undefined about 21 hours ago |

undefined

hayaan25929 about 7 hours ago |

Just.me_samiyy hacked

itsnkr2293 about 10 hours ago |

Where is the security left now?

alvis about 19 hours ago |

how on earth a password reset API would take both email address and account id as parameters? The chat bot is fine. I bet it's the API written by AI the issue

cyanydeez about 22 hours ago |

"abusing" by using it's built in insecurity to do insecure things.

It's like, people abusing an open door. "Guys, just because we left the door open to your bedroom doesn't mean we're responsible".

God can only hope this is a business ending lawsuit.

Fairburn about 20 hours ago |

Are we winning yet?

anonzzzies about 9 hours ago |

Is there a tl;dr? are these people getting their accounts back?

pluc about 21 hours ago |

By "abusing" they mean "using"

smrtinsert about 18 hours ago |

How do business owners hire people from Meta knowing these types of "bugs" get deployed with a shrug? Meta will survive them. Their business might not.

_RPM about 21 hours ago |

Probably some product manager pushed back on security considerations raised by engineers.

butler14 about 9 hours ago |

Silicon Valley’s finest

toomuchtodo about 23 hours ago |

https://www.documentcloud.org/documents/28202858-meta-ai-ag-...

https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2...

Lionga about 19 hours ago |

Just AI Slop doing AI Slop things

empiree about 19 hours ago |

Yet another reminder that most of these chatbots get shipped way before they're ready. Loud marketing, security treated as an afterthought, all to ride the AI hype. LLMs open up a whole new attack surface and a lot of teams still treat prompt injection like a fun edge case. This is what happens when you ship the demo instead of the product.

paulpauper about 19 hours ago |

Imagine how much $ ppl could have made hijacking famous accounts to promote crypto or other crap. I wonder how often this happened.