Meta discloses Instagram AI chatbot breach affecting at least 20,225 accounts; company disabled the tool and plans security fixes

Meta's AI-powered account recovery chatbot for Instagram, called 'High Touch Support,' was exploited by hackers from around April 17, 2026 until discovery on May 31. At least 20,225 accounts were compromised. The flaw: the system sent password reset links to any provided email address without verifying the email belonged to the account in question.

Potentially exposed data included contact info, birth dates, posts, direct messages, account activity, profile information, and linked services. Meta says it does not know which information was actually viewed by attackers.

Meta disabled the chatbot, removed the faulty code path, and invalidated all password reset links. Before reactivating the tool, the company plans to fix the email verification step and audit similar account recovery systems across all its platforms.