Cyber Incident Victim: Sephora
Date:
May 2026
Location:
United States of America
Summary
Hackers exploited a vulnerability in Meta’s AI-powered account recovery support tool by convincing the chatbot to link targeted Instagram accounts to attacker-controlled email addresses, allowing password resets and account takeover; the compromised accounts included those of Sephora, the Obama White House, and US Space Force Chief Master Sergeant John Bentivegna, among roughly 20,000 potentially affected users. Meta discovered the exploitation and took action, disabling the tool, invalidating the fraudulent reset links, placing affected accounts under a mandatory security checkpoint, resetting their passwords, and announcing plans to notify users of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2026 Meta launched an AI‑powered support assistant designed to provide 24/7 help for account issues such as updating passwords and profile settings, which the company described as a tool to assist users regain access after being locked out. On May 31 2026 Meta’s security team discovered that the High Touch Support (HTS) tool, the underlying system for the chatbot, was being exploited. Attackers used the chatbot to request that a target’s Instagram account be linked to a new email address under the attacker’s control; the chatbot then sent a verification code to that email, and after the code was entered it presented an option to reset the account’s password. By completing these steps the attackers could take over the targeted Instagram account without needing the original credentials. The method was demonstrated in videos and screenshots shared online, and it was used to compromise a number of high‑profile accounts including those associated with the Obama White House, the beauty retailer Sephora, and the US Space Force Chief Master Sergeant John Bentivegna. As of the Tuesday afternoon following the initial reports, those three accounts appeared to have been restored to their legitimate owners.
Meta’s disclosure to the Maine Attorney General’s Office indicated that roughly 20,225 individuals may have been affected, a figure derived from counting users whose passwords were reset via the support tool, who did not have two‑factor authentication enabled, and whose accounts were likely accessed by hackers; Meta noted that some of those accounts could have been accessed by their legitimate owners rather than by attackers. The potentially exposed data included profile information, email addresses, phone numbers, dates of birth, direct messages, social media posts, and details of account activity and interaction history. Some of the compromised accounts were reportedly sold on the dark web, although Meta stated it was unclear whether personal information stored in the accounts had actually been accessed. In response, Meta disabled the abused HTS tool and announced it would not re‑enable it until the vulnerability was fixed. The password reset links generated through the exploit were invalidated, and all affected accounts were placed in a mandatory security checkpoint with their passwords reset. Meta informed the Maine AG of the incident and said it would, as soon as practical, send notifications to the potentially impacted users advising them to review their account security settings and to enable two‑factor authentication. A Meta vice president, Andy Stone, posted on X that the issue had been resolved and that the company was securing impacted accounts. The company also noted that it had laid off about 8,000 staff the previous month, including members of its integrity and cybersecurity teams, though it did not link those layoffs directly to the incident.