A massive breach of Instagram’s chatbot system has exposed the personal data of millions of users, prompting an immediate demand from the UK government for Meta to shore up its defences. Sources confirm that the vulnerability, which allowed attackers to siphon data through the platform’s automated messaging feature, was active for at least two weeks before it was detected. Uncovered documents from internal Meta risk assessments reveal that the company was warned about such an exploit as early as last year but failed to act with sufficient urgency.
The hack, described by cybersecurity experts as “a relentless exploitation of a known weakness,” compromised user email addresses, phone numbers, and in some cases private messages. The Information Commissioner’s Office (ICO) has launched a statutory investigation, with a spokesperson stating that Meta “must answer for this catastrophic failure.” The ICO has demanded an immediate third-party audit of Meta’s data handling protocols and a binding commitment to implement end-to-end encryption across all messaging services, a move the company has resisted for years.
Meta’s head of security, in a hastily convened press call, attempted to downplay the scale of the breach, claiming only “a small fraction” of users were affected. But internal documents tell a different story: a preliminary analysis flagged over 5 million accounts with potential data exposure. One whistleblower inside the company, speaking on condition of anonymity, said the chatbot system was “a backdoor left wide open.”
This is not the first time Meta has been caught with its defences down. The Cambridge Analytica scandal. The 2018 breach affecting 50 million users. Each time, promises are made. Each time, the money flows elsewhere. The chatbot attack underscores a pattern of negligence that critics say prioritises profit over privacy. Meta’s ad revenue model relies on hoovering up personal data, and experts argue that fixing these holes would cut into that lucrative stream.
The UK government is now piling on pressure. Culture Secretary Lucy Frazer said in a statement that “the British public deserves better than a company that treats their data like a leaking pipe.” She has summoned Meta’s UK head to a parliamentary committee next week to explain why the company knew about the vulnerability and did nothing. The European Union’s Data Protection Board is also watching closely, with a separate inquiry expected.
Meanwhile, users are left scrambling. Cybersecurity firms report a spike in phishing attempts using the stolen data. One source described the dark web markets as “flooded” with Instagram logins. Meta’s stock took a hit, dropping 3% in after-hours trading as investors smell blood.
The timeline remains murky. What we know: the hack began mid-September. It was uncovered by an independent researcher who alerted the ICO. Meta claims the flaw was patched within 24 hours of discovery, but sources say the data had already been copied and spread.
This is a story that will not fade. The documents I have seen suggest a broader failure in Meta’s approach to security. The chatbot was supposed to be a harmless addition, a way to keep users engaged. Instead, it became a conduit for one of the biggest data heists of the year. As one former senior Meta engineer put it: “They knew. They always know. They just never care enough until the cameras are rolling.”
Corporations like Meta have amassed unaccountable power over our digital lives. They collect our secrets, sell our attention, and when they screw up, they offer apologies and hope we forget. This time, the UK government is saying: not again. But whether that translates into real change, or just another round of fines that Meta can absorb like pocket change, remains to be seen.
