Since the Meta AI chatbot Instagram exploit went public on May 31, the attack has persisted — and the week has since produced two more security incidents worth examining.

Meta Let Hackers Walk Through the Front Door

The Instagram hack wasn't sophisticated. It didn't require zero-days, social engineering, or insider access. Hackers simply opened Meta's AI support chatbot, told it they owned someone else's account, and asked it to link a new email address. The chatbot complied. From there, resetting the password was trivial.

According to TechCrunch, a step-by-step video of the exploit circulated in a Telegram group where hackers were actively advertising stolen account handles for resale. Compromised accounts included one tied to the U.S. Space Force's chief master sergeant, John Bentivegna, and a dormant Obama White House account that reportedly posted pro-Iran content before being recovered — though Meta spokesperson Andy Stone called claims about world leader accounts "totally false," per the BBC.

Security researcher and former Meta employee Jane Manchun Wong confirmed her own account was taken over — her password changed without her knowledge, per TechCrunch.

On Monday, Stone told users on X that "the issue has been resolved." By Tuesday, more accounts were being compromised. TechCrunch reported members of the Telegram channel were still advertising hacked handles — including at the time of writing.

Meta built a chatbot that could bypass every password and 2FA protection a user had, with zero authentication required from the attacker. The company then told the public the problem was fixed before it actually was. That represents a fundamental design failure, not a minor security bug.

Dashlane's Story Has Holes in It

Starting the afternoon of May 30, Dashlane suspended customer accounts following what it described as a brute-force attack targeting two-factor authentication protections. By evening, accounts were being restored, according to Tech.co.

Dashlane's advisory says attackers launched a brute-force attack against 2FA codes — those six-digit, 45-second rotating codes — and that 20 encrypted user vaults were stolen.

Ars Technica flagged the obvious problem with this explanation: brute-forcing a six-digit TOTP code within a three-hour window would require submitting a statistically significant percentage of 1 million possible combinations against Dashlane's servers. That requires serious infrastructure. It also raises the question of whether Dashlane had any meaningful rate limiting in place.

Users reported unauthorized login attempts traced to Korea and Russia, per The Register as cited by Tech.co. Some users received no direct notification from Dashlane — they found out through Mastodon's infosec community instead.

Dashlane's public statement: "there is no evidence of compromise of Dashlane's systems." Twenty encrypted vaults were stolen. Both statements are technically true. Burying that detail is a choice.

The vaults are encrypted, so the immediate risk depends on how strong users' master passwords are. But Dashlane has not been transparent about the mechanics of this attack, and users deserve more than corporate damage control dressed as a security advisory.

Ultrahuman Sat on a Breach for Over Two Months

Wearable health startup Ultrahuman disclosed on June 3 — via TechCrunch — that its customer wellness data was accessed by hackers on March 27. That's more than two months of silence.

The attack vector was straightforward: an employee's laptop was infected with malware, credentials were stolen, and attackers used those credentials to access an internal analytics system. CEO Mohit Kumar confirmed the breach to TechCrunch, saying security systems detected the intrusion within hours and the affected system was taken offline.

Ultrahuman has roughly 700,000 monthly active users. The company says about 0.1% were affected — which works out to approximately 700 customers whose health data was accessed. That data includes sleep, activity, and recovery metrics tracked by the company's Ring Air and Ring Pro smart rings.

The company says no passwords, payment data, or production systems were compromised, and that attackers had read-only access. But Ultrahuman declined to confirm whether data was actually exfiltrated — a significant omission.

The company also told TechCrunch it delayed notifying affected users while it audited the full scope of the breach. Two months is a long audit.

The Pattern

These three incidents share fundamental similarities: companies with access to sensitive personal data — passwords, account credentials, health metrics — failed their users and then communicated poorly about it afterward.

Meta built an AI chatbot that could reset account access with zero verification. Dashlane lost encrypted vaults and issued a technically accurate but deliberately opaque explanation. Ultrahuman waited over two months to tell affected customers their health data had been accessed.

This all lands in the same week that TechCrunch's mid-year cybersecurity roundup flagged ongoing concerns about the DOGE Social Security database exposure, Russian attacks on European water and energy infrastructure, and AI-powered hacking tools lowering the barrier for entry across the board.

The technology companies building these products are moving fast. Their security practices haven't kept pace. And when things go wrong, the first instinct is to manage the PR, not protect the users.