The Instagram AI Debacle: Meta's Chatbot Handed Hackers the Keys

Over the weekend of May 31, hackers figured out they didn't need advanced tools to steal Instagram accounts. They just had to ask.

According to TechCrunch, attackers exploited Meta's AI support chatbot by simply telling it they owned a target's account and requesting the bot link it to a new email address. The chatbot complied. Password reset. Account gone.

No Meta employee was ever in the loop. The chatbot did it all on its own.

High-profile targets included the dormant Obama White House account and the account of U.S. Space Force Chief Master Sergeant John Bentivegna, according to TechCrunch. Hackers were also scooping up accounts with rare short handles — names of countries, common first names — and selling them in Telegram gray markets.

Meta spokesperson Andy Stone declared on Monday, June 1, that "the issue that did happen has already been fixed." By Tuesday, June 2, more users were reporting stolen accounts. Members of the Telegram channel where the technique was publicized were still advertising hacked handles for sale, per TechCrunch's own reporting at time of publication.

Meta has been scrambling to secure targeted accounts and alert victims. But the company hasn't explained how its AI chatbot ever had the permission architecture to unilaterally reassign account ownership to a stranger with zero verification. It's a catastrophic product design failure, not a sophisticated hack.

Ultrahuman Breach: Your Health Data Wasn't as Private as You Thought

Ultrahuman, the India-based smart ring and metabolic health tracker startup, confirmed this week that hackers accessed customer wellness data on March 27 — and waited until June 3 to notify affected users.

According to TechCrunch, the attackers used credentials stolen from a malware-infected employee laptop to access an internal analytics tool. CEO Mohit Kumar told TechCrunch that security alerting systems caught the intrusion "within hours" and the affected system was taken offline.

The company said no passwords, payment data, production systems, or physical Ring devices were compromised. What WAS accessed: wellness data belonging to approximately 0.1% of users.

Ultrahuman previously reported roughly 700,000 monthly active users. That's at least 700 customers whose health data — sleep patterns, activity metrics, recovery scores — was in the hands of unauthorized actors.

The company declined to tell TechCrunch exactly how many customers were affected, what specific data was accessed, or whether any data was actually exfiltrated. They also haven't said whether they received any communication from the hackers.

Kumar said the delay in notifying users was due to auditing the full scope of the incident. Regulators are being notified.

The incident reveals a fundamental assumption held by the wearable health-tech industry: Companies like Ultrahuman and Oura store intimate biometric data on their own servers — servers that their employees, governments, and apparently criminal hackers can access. Users assume that data stays on their device. It doesn't.

The DOGE Social Security Disaster: Potentially the Biggest Breach in U.S. History

Both of the above pale next to what may be the most consequential data exposure of the decade.

According to TechCrunch's 2026 breach roundup, DOGE operatives — working under Elon Musk's direction — swept through the Social Security Administration earlier this year and allegedly uploaded a live copy of the Social Security database to an unsecured third-party server.

This database is believed to contain the Social Security numbers and associated personal information of most living Americans.

In court filings cited by TechCrunch, the Social Security Administration itself admitted it doesn't know with certainty what was on that server. What it does know: DOGE signed an agreement with an outside political advocacy group under the stated pretext of finding voter fraud evidence — a claim President Trump continues to make without evidence, according to TechCrunch.

Two top House Democrats investigating DOGE's SSA activities called it "the largest data breach in our nation's history."

Lawsuits are ongoing. Answers are scarce. And your Social Security number may already be on a server you've never heard of, controlled by people you never voted for.

How the Coverage Misses the Point

Most tech media is covering these stories in silos. The Instagram story gets a cybersecurity frame. The Ultrahuman story gets a startup drama frame. The DOGE story gets a political frame. But each failure stems from the same problem: institutions with access to your most sensitive data have failed to protect it, and accountability is zero.

Cybersecurity Insiders and CyberSec Guru sources also flagged a separate January 2026 Instagram incident allegedly affecting 17.3–17.5 million accounts, flagged by Malwarebytes, involving names, email addresses, phone numbers, and physical addresses leaked to dark web forums. Meta disputed the full scope of that earlier incident. Mainstream coverage has blurred the two incidents together, creating confusion about what actually happened when.

ACI Learning's 2026 breach roundup adds more: Match Group — the company behind Tinder, Hinge, and OkCupid — allegedly had 10 million records stolen by the ShinyHunters group. Medical device company Stryker suffered a March 2026 attack by an Iran-aligned hacktivist group that wiped corporate computers in real time while employees watched.

What's at Stake

You are not abstract data. You are a Social Security number, a home address, a heartbeat captured at 2 a.m. by a smart ring, and an Instagram account with five years of photos.

Every company and government agency in this article had one job: protect that. Most of them failed. None of them have faced meaningful consequences.

Until there are real legal and financial penalties for sloppy data stewardship — not press releases, not apology emails — expect this list to keep growing.