Meta has admitted that more than 20,000 Instagram accounts were hacked by exploiting a flaw in its AI-based account recovery system. Attackers exploited a technical vulnerability to obtain users’ password reset links and took over multiple accounts. According to reports, things like photos, email addresses, direct messages, account activity records, date of birth and other personal information can be leaked in this cyber attack. This incident has raised new concerns about social media security. Meta is now advising affected users to be cautious and turn on two-factor authentication.
**Lack of AI recovery system is the main reason**
According to Meta, the incident was caused by a vulnerability in its “high-touch support tools.” This AI-powered recovery system was created to help users who lost access to their Instagram account. Reports suggest that attackers took advantage of this vulnerability in the system to obtain a password reset link. Accounts that did not have two-factor authentication turned on were the most affected. Meta said the attackers manipulated the account recovery process to take over the accounts. After this incident, the company has started reviewing its security measures.
**How hackers took over the accounts**
The reports reveal a major flaw in the AI support workflow: the system failed to verify whether the email address provided during recovery was actually associated with a particular Instagram account. By exploiting this vulnerability, hackers convinced the support bot to associate a new email address with the user’s account. He then requested to reset the password and upon receiving the reset code, gained access to the account. Videos and screenshots surfacing online show that the attackers carried out the process by interacting directly with the AI support assistant.
**Data Leak and Suggestions for Users**
According to Meta’s data breach notification, the first successful attack occurred around April 17, 2026. The company has not yet confirmed what data was actually leaked, but reports claim that photos, email addresses, direct messages, account activity records, dates of birth and other personal information may have been affected. The security breach also affected high-profile accounts such as Sephora, Barack Obama’s White House account, and the Space Force Chief Master Sergeant’s account. Cybersecurity experts are advising users to use strong passwords, turn on two-factor authentication, and keep an eye on suspicious activity.
