Meta has provided specific figures for the hacking campaign against Instagram accounts in a data protection notice submitted to the Maine Attorney General’s Office. According to the notice, at least 20,225 accounts were compromised, including 30 in Maine.

Hackers exploited Meta’s AI-powered Instagram support chatbot for months to take over other users’ accounts. The chatbot, an account recovery tool called High Touch Support, was originally designed to help locked-out users regain access to their accounts. However, a bug in a separate code path meant that the system did not verify whether the email address provided actually belonged to the relevant Instagram account.

According to the notice, the attacks had been running since around April 17, 2026 and were only discovered on May 31. The attackers used the already known vulnerability in the AI-powered account recovery system, which sent password reset links to arbitrary email addresses without checking whether they were linked to the account.

Meta describes the figure of 20,225 as an upper limit, since some accesses may have come from legitimate account owners. According to Meta, the potentially accessible data included contact information, birth dates, posts, direct messages, account activity, profile information, and linked services. The company says it does not know which information was actually viewed. Thisweekinsecurity was the first to report on the notice.

Meta disabled the AI chatbot as an immediate measure, removed the faulty code path, and invalidated all password reset links generated through the system. Affected users were placed into a mandatory security checkpoint and asked to reset their passwords through verified channels.

Before reactivating the tool, Meta plans to fix email verification in the recovery process and review similar account recovery systems across all its platforms. The incident comes at a time when Meta has laid off thousands of employees while heavily investing in AI. The AI support chatbot had previously been promoted by Meta as a security improvement for account protection.