The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own.
Meta says the attack first surfaced on May 31st, with Meta communications head Andy Stone saying the company “resolved” the incident on June 1st. During this time, several high-profile Instagram accounts were impacted, including former President Barack Obama’s old White House account, US Space Force Chief Master Sergeant John F. Bentivegna, and Sephora. In the notice, Meta adds that it’s “unaware” of whether any personal data was accessed as a result of the exploit, but notes that account hijackers could’ve obtained email addresses, phone numbers, birthdates, social media posts, direct messages, profile information, account activity, and connected accounts.
The notice says 30 of the impacted users lived in Maine. The number refers to “users who had their passwords reset through the support tool, did not have 2FA enabled on their account and whose Instagram accounts were likely accessed by an unauthorized party” — though Meta says it’s an “upper bound,” as some of these accounts may have been accessed legitimately.
The company notes that it disabled its AI support tool and removed the buggy code path, while invalidating any password reset links generated using the exploit. It also enrolled all potentially impacted accounts “into a mandatory security checkpoint requiring authentication before any account access.”
