How many Instagram accounts were hacked using an AI support bot?

Meta has released details on the attack that compromised a number of Instagram accounts last week. In a report filed with the Office of the Maine Attorney General, the company said that 20,225 accounts were affected on May 31 due to a flaw in an AI-assisted customer support system.

The issue was in Meta’s High Touch Support (HTS) system, which uses artificial intelligence to assist customers in recovering their accounts if they’ve lost access (like when you forget your password). According to Meta, “due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.”

This meant that hackers were able to request a password reset link for a user’s account and enter a fraudulent email address, allowing them to reset users’ passwords themselves and thus gain access to the accounts. Meta said there is currently no evidence that any data was exfiltrated from the accounts, but it is possible given the nature of the access the hackers had. The HTS system has been disabled and the passwords reset for all affected accounts.