Meta’s own AI handed hackers full control of Instagram accounts. Without a password, phishing link, or malware, the Instagram AI bug a flaw buried inside Meta’s “High Touch Support” (HTS) tool — let attackers claim ownership of any account by simply asking a chatbot to hand it over. This is the laziest hack of 2026. And Meta let it run for seven weeks before anyone inside the company noticed.
What Is the Instagram AI Bug? (HTS Explained)
HTS — High Touch Support — was Meta’s AI-assisted account recovery system, quietly rolled out across all Facebook and Instagram accounts in March 2026. Meta’s own product page described it as delivering “Solutions, not just suggestions.”
The problem: HTS had elevated permissions to change account-critical settings — linked email, password reset pathway, account ownership with zero identity verification. It trusted what users claimed. Not what they could prove.
That single design decision is the entire Instagram AI bug, explained.
How the Meta AI Chatbot Exploit Worked
The attack took minutes. According to TechCrunch (Lorenzo Franceschi-Bicchierai) and 404 Media, here’s the exact sequence:
- Attacker contacts HTS, claims to own a target account
- Requests HTS link the account to an attacker-controlled email
- HTS complies sends a password reset link to the new unverified email
- Attacker resets the password, locks out the real owner
A VPN spoofed the target’s location for added plausibility. But it wasn’t even necessary. The chatbot never cross-checked the requested email against the account’s existing records. Meta’s own breach notice confirmed: “the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request.”
No human Meta employee was involved at any point. The entire account takeover was automated.
Which Instagram Accounts Were Hacked?
The confirmed victims: the Obama-era White House Instagram account, U.S. Space Force Chief Master Sergeant John Bentivegna, Sephora, and security researcher Jane Wong, who publicly confirmed her password was changed without her knowledge.
The scale: the New York Times reported approximately 34,000 Instagram accounts were affected, with attackers changing over 3,500 usernames. Meta’s official breach notice filed with Maine’s Office of the Attorney General puts confirmed compromised accounts at 20,225 the narrower, legally verified figure. Both numbers come from legitimate sources; the gap reflects different counting methodologies.
The breach window ran from approximately April 17, 2026 until Meta disabled the tool in early June — roughly seven weeks of an open door.
Meta Said It Was Fixed. Attacks Continued Anyway.
June 1, 2026: Spokesperson Andy Stone publicly declared the issue “has already been fixed.”
June 2, 2026: Accounts kept falling. Security researchers confirmed active takeovers after the fix announcement, per TechCrunch’s follow-up reporting. Meta then scrambled to manually alert affected users and secure targeted accounts.
Following the breach, Meta disabled the HTS tool entirely. It then invalidated all password reset links generated during the breach window, cutting off any hijack attempts still in the pipeline. Finally, Meta enrolled affected users in a mandatory security checkpoint and required them to reset passwords through verified channels before regaining access.
4 Things US Instagram Users Must Do Right Now
1. Enable 2FA immediately. The Instagram AI bug primarily hit accounts without two-factor authentication. Go to: Settings → Accounts Center → Password and Security → Two-factor authentication. Use an authenticator app — not SMS. If you need a setup guide, see our advanced password security guide.
2. Audit your linked email. Settings → Account → Personal Information. If you see an unrecognized email address, your account may already be compromised. Change it immediately, then change your password. For broader privacy hygiene, check our Instagram privacy settings guide.
3. Review active sessions. Settings → Security → Login Activity. Revoke every session you don’t recognize. Do it now.
4. Check if your data appeared in a breach. Use gizmodotech.com/check-data-breach/ — our guide walks through exactly how to verify whether your credentials have been exposed in any known breach database.
No comments yet. Be the first to share your thoughts!