# Meta披露Instagram AI聊天机器人漏洞，超2万个账户受影响

- 来源：The Decoder：AI News（RSS）
- 作者：Maximilian Schreiner
- 发布时间：2026-06-08 20:34
- AIHOT 分数：63
- AIHOT 链接：https://aihot.virxact.com/items/cmq577e130575slt2u6ekpztb
- 原文链接：https://the-decoder.com/instagram-ai-chatbot-breach-may-have-affected-over-to-20000-accounts-meta-discloses

## AI 摘要

Meta首次披露其Instagram AI客服聊天机器人的安全漏洞——至少20,225个账户遭入侵。系统在近七周内将密码重置链接发送至任意邮箱地址而未验证归属，该机器人此前曾被宣传为账户安全举措。

## 正文

Instagram AI chatbot breach may have affected over to 20,000 accounts, Meta discloses

Key Points

A flaw in Meta's AI support chatbot led to the compromise of up to 20,225 Instagram accounts over seven weeks.

A buggy recovery tool let hackers send password reset links to arbitrary, unverified email addresses.

Meta disabled the chatbot, invalidated the manipulated links, and forced affected users to reset their passwords immediately.

In an official data breach notification, Meta has for the first time put a number on the scope of the already-known vulnerability in its AI support chatbot. The hacking campaign ran for nearly seven weeks.

Meta has released a data breach notification to the Maine Attorney General's office with the first concrete numbers on the hacking campaign targeting Instagram accounts. At least 20,225 accounts were compromised, including 30 in Maine.

Hackers exploited Meta's AI-powered support chatbot for Instagram for months to take over other people's accounts. The chatbot, an account recovery tool called "High Touch Support," was designed to help locked-out users regain access. But a bug in a separate code path meant the system never checked whether the email address provided actually belonged to the Instagram account in question.

According to the notification, the attacks started around April 17, 2026, and weren't discovered until May 31. The attackers exploited the already-known flaw in the AI-powered "High Touch Support" recovery system, which sent password reset links to any email address without verifying it belonged to the account.

Meta calls the 20,225 figure an upper bound, since some access attempts may have come from legitimate account holders. The data that was potentially accessible includes contact info, birth dates, posts, direct messages, account activity, profile information, and linked services, according to Meta. The company says it doesn't know which information was actually viewed. Thisweekinsecurity first reported on the notification.

Meta disables chatbot and audits all platforms

As an immediate response, Meta disabled the AI chatbot, removed the faulty code path, and invalidated all password reset links generated through the system. Affected users were placed into a mandatory security checkpoint and asked to reset their passwords through verified channels.

Before reactivating the tool, Meta plans to fix the email verification step in the recovery process and audit similar account recovery systems across all its platforms. The incident comes at a time when Meta has laid off thousands of employees while betting heavily on AI. The AI support chatbot had previously been marketed by Meta as a win for account security.

AI News Without the Hype – Curated by Humans
