As of June 3, 2026, Meta's claimed fix for the Instagram account hijacking vulnerability remains incomplete. Users continue reporting compromised accounts hours after Meta Vice President Andy Stone stated the "issue has been resolved and we are securing impacted accounts." Notable victims posting updates on June 3 include security researcher Jane Manchun Wong (whose both primary and secondary accounts were compromised after the alleged fix) and Esther Crawford, former Director of Product at X and currently Director of Product at Meta. Security researchers and Telegram-based threat intelligence communities are reporting that Meta's fix consisted of removing the frontend "Get Support" button from the UI while leaving backend API endpoints accessible. Skilled attackers have already adapted, moving to Telegram bots, scripts, and direct API calls to continue exploiting the vulnerability.
Timeline of the Incomplete Fix
June 1, 2026: Vulnerability disclosed publicly. Meta patches "issue" by end of day. Andy Stone confirms: "issue has been resolved."
June 2-3, 2026: Continued reports of account compromises. Jane Manchun Wong reports her secondary account (4-letter username with 2FA enabled) was compromised after the "fix." Her primary account password changed again without authorization. Esther Crawford confirms her 5-letter handle compromised after June 1 patch.
June 3, 2026: Bugify Vault Telegram community confirms Meta's fix was cosmetic—removed frontend button only. Attackers now using alternative access methods (Telegram bots, scripts) to reach Meta AI endpoints. Users continue reporting account takeovers.
What Changed and What Didn't
The "Get Support" button removed from Instagram's UI created friction for casual exploitation but did not address the underlying vulnerability. The API endpoints that power Meta AI's account recovery functions remain accessible. Attackers demonstrating the exploit on Telegram are using automated tools to interact with Meta AI directly, bypassing the removed UI entirely. Two-factor authentication is not preventing compromise, indicating the vulnerability exists at the account recovery layer, not the authentication layer.
Meta has not publicly disclosed what changes were made beyond the UI removal. The company has not provided technical details about what was fixed in the backend, what remains vulnerable, or what timeline exists for a proper fix.
The Trust & Safety Context
Meta recently laid off 8,000 employees globally, with an additional 7,000 reassigned to AI initiatives. Unconfirmed reports suggest Instagram's Trust and Safety division was reduced by 60% through layoffs and reassignments. The timing creates a narrative question: whether the superficial fix reflects genuine technical constraints or reflects capacity limitations in the security team responsible for patching vulnerabilities.
What This Means for Healthcare Organizations
The Instagram incident demonstrates that claiming a vulnerability is fixed without actually addressing the underlying issue is operationally feasible but ultimately ineffective. Healthcare organizations should validate that claimed fixes to support systems actually address the root cause, not just the user-facing symptom. For patient portal password resets, this means verifying that the backend API has implemented proper identity verification, not simply hiding the vulnerable button from users.
Healthcare CISOs should also prepare for the possibility that AI-generated or AI-assisted security patches may lack rigor. If organizations are using AI to generate code fixes (the emerging "vibe coding" pattern), those fixes may be superficially plausible without addressing the underlying architectural problem. This does not mean AI-assisted patching is inherently flawed, but it does mean security teams should apply higher scrutiny to fixes that appear to address symptoms rather than root causes.
Outstanding Questions
Whether the incomplete fix reflects technical complexity, staffing constraints, or architectural challenges at Meta remains undetermined. What is observable is that as of June 3, 2026, the vulnerability persists, users continue to be compromised, and attackers have adapted to the cosmetic fix within hours. A proper fix would likely require disabling password resets through AI support entirely, or implementing secondary verification (out-of-band confirmation, security questions, in-person verification) that makes the attack substantially more difficult.
Key Links
- Android Authority: Instagram accounts continue to be hacked as hackers claim Meta only removed a UI button (June 3, 2026)
- Jane Manchun Wong on X: Secondary account with 2FA compromised after fix
- Esther Crawford on X: Five-letter handle compromised
- TechCrunch: Original vulnerability disclosure (June 1, 2026)