HN

Comments (238)

• Menu

  Cyan488
  > "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account," said Meta in its breach notice.I'm not sure "worked properly" and "as intended" accurately describe this situation.
• Menu

  johnyzee
  "Meta notified at least 20,225 people that their accounts had been compromised. [...]The compromises allowed the hackers to take over the person's entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person's posts, direct messages, and account activity [...]the hacks began around April 17 and lasted until this week [...]"This is staggering.
• Menu

  webbdev
  Meanwhile an account I created for a new product was permanently disabled by an automated system with no path for me to appeal to a human.(If anyone at Meta/Instagram sees this I wrote a brief blog post with the details. Please help! https://addisonwebb.com/blog/2026-06-05-Can%20Someone%20at%2... )
• Menu

  loloquwowndueo
  This was on hacker news a few days ago (https://news.ycombinator.com/item?id=48359102) - description of the “hack”, not the cockamamie confirmation by Meta.
• the_black_hand
  I'll never understand using AI/bot for customer support. IG is a well know platform. If I have an issue I feel pressed to connect with a support agent about it very likely is something a bot would struggle with, otherwise I'd just google. I understand there some grandmas who can do a google search, but the vast majority of folks reaching out for support are doing so because they have a real issue that can't be simply automated.Furthermore, having a bot handle a hacked account is support ticket is just insane. Why tf would you put a bot there and give it permission to take action?
• Menu

  jhhh
  Why was 'can a user request a different email' not literally the first test that comes to mind when making something like this? Do they not test anything because the scale is too big?
• Menu

  dwa3592
  I really hope this accelerates meta's decline. The world will adapt just fine without social media.
• Menu

  Havoc
  >AI-assisted account recovery systemoh no...Meta what are you doing
• Menu

  phyzome
  Corrected headline: "Meta confirms 1000s of Instagram accounts were hacked due to their insecure AI chatbot".
• hero4hire
  People were reporting their accounts were being taken over with proper 2fa. Everyone had wondered how they hackers could take over accounts with little information, people were saying "inside job."This is exactly the stupid explanation I expected. Your privacy and security. Meta. Serious Business.
• thraway3837
  Has the data surfaced somewhere? A lot of IG accounts are private by choice, and this kind of data, if surfaced publicly, could have devastating privacy violations. People share all kinds of stuff on there, a lot of it not meant for public consumption. I'm not wanting a debate on "well you shouldn't put anything private on Facebook's servers or the internet blah blah blah". I'm just curious if the actual contents of the hack have been surfaced.
• zahirbmirza
  And who said cameras linked to Meta in their glasses were a good idea?
• Menu

  whirlwin
  I got a suspicious password reset request email today from Meta but it landed in my inbox. Luckily I have MFA and after checking audit logs inside IG upon logging in, I did not see anything suspicious.
• anon
  undefined
• dansquizsoft
  You only have to look at both the ridiculiously terrible "Q&A chatbot" that is in FaceBook under some posts (do they still have this?) and the fact that their system can't tell the difference between an inappropriate and a non-inappropriate comment most of the time to understand just how far behind Meta is in AI...
• tomashertus
  Move fast and break things.
• Menu

  zuzululu
  > as well as the ability to access the person's posts, direct messagesgod dang!! we are going to see some juicy stuff
• boppo1
  Is there a way to check if I was affected? Does Meta know who was affected?
• Menu

  rvz
  If this was a bank that had zero humans and the AI chatbot was abused to hand over sensitive information about their customers which led to this disaster, people would never trust their bank ever again and leave.Meta believes that they can vibe-code their reputation down the drain by removing humans in the loop.Applying a technical solution to a social problem almost always ends in disasters like this.Reputation can’t be vibe-coded.
• RgrTheShrubbr
  The AI passed the Turing Test by becoming the world's most trusting customer service rep.
• anon
  undefined
• latexr
  Meta is clearly staying true to their ethos. “Move fast and break things”, “ask for forgiveness, not permission”, “have your security researcher delete their own email email by accident and then refuse to learn anything and use that same system to manage user accounts”.
• naik11
  I want to hacke one instgram account
• hayaan25929
  Just.me_samiyy hacked
• hayaan25929
  Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot
• itsnkr2293
  Where is the security left now?
• alvis
  how on earth a password reset API would take both email address and account id as parameters? The chat bot is fine. I bet it's the API written by AI the issue
• Menu

  cyanydeez
  "abusing" by using it's built in insecurity to do insecure things.It's like, people abusing an open door. "Guys, just because we left the door open to your bedroom doesn't mean we're responsible".God can only hope this is a business ending lawsuit.
• Fairburn
  Are we winning yet?
• anonzzzies
  Is there a tl;dr? are these people getting their accounts back?
• Menu

  pluc
  By "abusing" they mean "using"
• smrtinsert
  How do business owners hire people from Meta knowing these types of "bugs" get deployed with a shrug? Meta will survive them. Their business might not.
• _RPM
  Probably some product manager pushed back on security considerations raised by engineers.
• butler14
  Silicon Valley’s finest
• Menu

  toomuchtodo
  https://www.documentcloud.org/documents/28202858-meta-ai-ag-...https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2...
• Lionga
  Just AI Slop doing AI Slop things
• empiree
  Yet another reminder that most of these chatbots get shipped way before they're ready. Loud marketing, security treated as an afterthought, all to ride the AI hype. LLMs open up a whole new attack surface and a lot of teams still treat prompt injection like a fun edge case. This is what happens when you ship the demo instead of the product.
• paulpauper
  Imagine how much $ ppl could have made hijacking famous accounts to promote crypto or other crap. I wonder how often this happened.