Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The tool worked properly and worked as intended; however, due to an error in another process, the system did not properly verify that the email address provided by the person requesting a password reset matches the email address associated with the user’s Instagram account. As a result, when a person provided an email that was not associated with the account, the system sent a password reset link to the unrelated email instead of rejecting the request. This allowed unauthorized persons to receive a password reset link for accounts that did not belong to them.
Meta says the first attack took place on May 31st, by Meta message head Andy Stone that company “resolved” what happened on June 1st. Meanwhile, several top Instagram accounts it was affectedincluding President Barack Obama’s former White House account, US Space Force Chief Master Sergeant John F. Bentivegna, and Sephora. In the statement, Meta adds that it “doesn’t know” if any personal information was obtained as a result of the incident, but says hackers may have obtained email addresses, phone numbers, birthdays, social media posts, direct messages, history, account activity, and linked accounts.
The notice says 30 of the affected users live in Maine. The number refers to “users who changed their password through a support tool, did not have 2FA enabled on their account and whose Instagram accounts were accessed by an unauthorized group” – although Meta says it is “higher,” because some of these accounts were accessed legitimately.
The company notes that it has disabled its AI support tool and removed the traffic method, blocking any password reset links that are created using fraud. It also registered all affected accounts “in a security verification environment that requires authentication before logging into any account.”
