Hackers tricked Meta's AI support chatbot into attaching their own email to high-profile Instagram accounts, enabling full takeovers. Meta says the flaw is now fixed.
What happened
In one of the clearest real-world demonstrations yet of how AI customer-support tools can be turned into an attack surface, hackers seized control of several high-profile Instagram accounts over the weekend by manipulating Meta's AI Support Assistant into doing the work for them. Rather than exploiting a software bug in the traditional sense, the attackers exploited the bot's willingness to act on a request — convincing it to attach a new email address to accounts they did not own.
How the attack worked
The technique was striking for its simplicity:
- Spoof the location: Attackers first used a VPN to appear as if they were operating from the victim's usual location, sidestepping Instagram's automated fraud and login-protection checks.
- Ask the bot: They opened a conversation with the Meta AI Support Assistant and asked it to add a new email address to the target's account.
- Intercept the code: Because the new address was attacker-controlled, the one-time verification code went straight to the hacker — never touching the victim's real inbox.
- Feed it back and reset: The attacker handed that code back to the chatbot, which then surfaced a password-reset option — letting them set a new password and take full control of the account.
The chain worked because the support flow trusted the AI assistant's action without re-verifying ownership through the account's existing email — turning a convenience feature into a complete account-takeover path.
Who was targeted
The compromised accounts reportedly included:
- The Obama-era White House Instagram handle (inactive since 2017)
- The account of U.S. Space Force Chief Master Sergeant John Bentivegna
- Security researcher Jane Wong, who confirmed her own account was taken over
It remains unclear exactly how many accounts were affected, but the focus on verified, high-profile handles suggests the attackers were after high-value targets rather than random users.
Meta's response
Instagram spokesperson Andy Stone said on Monday that the issue had been fixed. Meta has not detailed the full scope of affected accounts, but the rapid patch suggests the company treated the support-bot pathway as a serious, exploitable gap.
Why it matters
This incident is a textbook example of an emerging risk: AI agents with real account permissions but weak guardrails. As companies wire chatbots into sensitive workflows — changing emails, resetting credentials, issuing refunds — each granted capability becomes a potential bypass if the bot does not rigorously re-verify identity. The attack required no malware and no stolen password; it required only the right phrasing. For everyday users, it is also a reminder of why two-factor authentication and login alerts matter.
Frequently Asked Questions
Did users do anything wrong?
No. Victims did not fall for a phishing link or reuse a weak password — the takeover happened through Meta's own support tooling, outside the user's control.
Is the flaw still exploitable?
Meta says it has fixed the issue. Users who suspect compromise should review their account's linked email addresses and active sessions, and re-enable two-factor authentication.
Is this an AI vulnerability?
Effectively yes — the weakness was not the AI's language ability but the permissions it was given without strong identity verification, a growing theme in AI-security incidents.