Meta confirms thousands of Instagram accounts hacked via AI chatbot

Meta confirmed that hackers exploited a vulnerability in its Instagram AI chatbot to gain unauthorized access to thousands of accounts [Week in Security]. The breach originated from the chatbot’s ability to retrieve authentication tokens during user interactions, allowing attackers to hijack sessions without external phishing links [Week in Security].

Meta has not disclosed the technical specifics of the flaw, but says it was confined to the chatbot interface. In response, the company disabled the Instagram chatbot, issued a security patch, and forced password resets for users identified as compromised [Week in Security]. Meta also announced an audit of its other AI‑driven services to check for similar weaknesses.

The incident demonstrates how embedding generative AI into consumer apps can broaden the attack surface. Unlike traditional attacks that rely on malicious links or credential stuffing, this exploit turned the platform’s own feature into an entry point.

For security teams, the hack highlights three actionable points: (1) subject AI modules to the same rigorous code review and testing as core services; (2) monitor for anomalous access patterns that may indicate abuse of AI‑enabled functions; and (3) adopt transparent disclosure practices when incidents occur [Week in Security].