Over 20,000 Instagram Accounts Hacked Due to Meta’s Security Flaw

Kathmandu – More than 20,000 Instagram accounts were compromised due to a significant security vulnerability in Meta’s system. According to formal information provided by Meta to government regulatory authorities, hackers exploited a bug in an AI chatbot designed to help recover accounts. It is claimed that high-profile accounts were among those affected, including the White House Instagram account of former US President Barack Obama, the multinational beauty brand Sephora, and a senior officer of the US Space Force. However, Meta has denied some of these claims as false in their official response.

Meta had introduced an AI-supported tool called ‘High Touch Support’ intended to assist Instagram users who were logged out of their accounts. This tool sent password-reset links to users’ registered email addresses upon request. However, due to an internal coding flaw, the AI failed to verify whether the requested email address matched the email associated with the original account. Exploiting this weakness, hackers submitted password reset requests with their new email addresses. Without performing any verification, the AI chatbot sent the reset links directly to the hackers’ emails.

According to Meta, the cyberattack began on April 17, 2026, but was only discovered on May 31. For nearly six weeks, hackers potentially accessed private messages, contact details, and connected services of the affected accounts. Notably, only accounts without ‘two-factor authentication’—an additional security setting where a code is sent to the phone besides the password—were compromised. Reports from BBC and Reuters indicate that Meta has since resolved the vulnerability and started notifying impacted users. This is not Meta’s first data leak incident; in 2018, after 29 million Facebook accounts were exposed and passwords were not adequately secured, Ireland’s Data Protection Commission fined Meta millions of euros.