Meta has disclosed that a security breach involving Instagram's AI chatbot may have affected more than 20,000 accounts. The incident has renewed concerns about user privacy, AI system security and the safeguards needed as generative AI features become more widely adopted.

What Meta Revealed About the Instagram AI Chatbot Breach

In an official data breach notification, Meta has put a number on the scope of the already-known vulnerability in its AI support chatbot. The hacking campaign ran for nearly seven weeks. The tech giant has released a data breach notification to the Maine Attorney General's office with the first concrete numbers on the hacking campaign targeting Instagram accounts. At least 20,225 accounts were compromised.

The data that was potentially accessible includes contact info, birth dates, posts, direct messages, account activity, profile information, and linked services, according to Meta.

AI-Powered Platforms are Facing New Security Challenges

According to the notification, the attacks started around April 17, 2026, and weren't discovered until May 31. The attackers exploited the already-known flaw in the AI-powered "High Touch Support" recovery system, which sent password reset links to any email address without verifying it belonged to the account.

Hackers exploited Meta's AI-powered support chatbot for Instagram for months to take over other people's accounts. The chatbot, an account recovery tool called ‘High Touch Support,’ was designed to help locked-out users regain access. However, a bug in a separate code path meant the system never checked whether the email address provided actually belonged to the Instagram account in question.

Also Read: Meta Reportedly Embedded Facial Recognition Code in Smart Glasses App Before Public Rollout

What Users Should Know about Data Privacy and AI Services

Meta disabled the AI chatbot, removed the faulty code path, and invalidated all password reset links generated through the system. Affected users were placed into a mandatory security checkpoint and asked to reset their passwords through verified channels. Before reactivating the tool, Meta plans to fix the email verification step in the recovery process and audit similar account recovery systems across all its platforms.

As AI-powered features become more common across social media platforms, users are paying closer attention to how their data is handled. Incidents like this highlight the need for stronger security controls, transparent disclosures and responsible AI development to maintain user trust.