Hackers Took Over Instagram Accounts By Asking Meta's AI Support Bot

Hackers took over some of the most valuable accounts on Instagram over the weekend by asking Meta’s own AI support bot to hand them the keys, and it agreed without checking whether the person asking actually owned the account. They never cracked a password, sent a phishing link, or got near the victim’s inbox. They opened a support chat, typed a few polite sentences, and walked off with accounts worth hundreds of thousands of dollars.

The accounts that got hit were not random or low value. The dormant Instagram page for the Obama White House, untouched since the presidential handover in January 2017, was hijacked and defaced with a pro-Iranian image. The account belonging to the Chief Master Sergeant of the U.S. Space Force went too, along with the beauty retailer Sephora, the app researcher Jane Manchun Wong, and a set of short, rare usernames like @hey and @jowo that are valued together at more than a million dollars on the underground market.

The uncomfortable part is how little skill it took. Instagram has a long, frustrating reputation for terrible account support, where getting a locked account back can take weeks of fighting an automated ticket system with no human anywhere on the other end. Meta’s answer was an AI support assistant, introduced late last year and then put in charge of account recovery, handling common tasks like relinking a lost email, resetting a password, and confirming that someone owns the account they claim. To do that job, the assistant was handed real write access to the systems that manage accounts.

That access is where it fell apart. An attacker would first set up a VPN or proxy with an IP address near the real owner’s usual location, which kept Meta’s automatic fraud checks quiet. Then they opened a chat with the AI assistant and asked it, in plain language, to link a new email address to the target account. The bot did it, and sent a verification code straight to the attacker’s email.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Attacker (connected through a VPN near the target's location):
  Opens a chat with Meta's AI support assistant
  Asks it to link a new email to the target account
  Gives the target username and an attacker-controlled email

Meta AI support bot:
  Links the attacker's email to the account
  Sends an 8-digit verification code to that email

Attacker:
  Uses the code to reset the password
  Refreshes the account's backup codes
  The real owner is now locked out

With that code in hand, the attacker reset the password, refreshed the account’s backup codes, and shut the real owner out. The genuine account holder never got a prompt to confirm anything, and no warning ever reached the email already on file. From the first message to a locked-out owner, it took minutes.

The reason this worked comes down to who was allowed to do what. The AI bot had permission to change the email on an account and trigger a password reset, something a normal user cannot do directly. The attacker had no such permission and no credentials at all, so instead of going at the account head on, they convinced the one thing that did have the permission to use it on their behalf. The bot did exactly what it was designed to do, just aimed at the wrong account. Security people have a name for this kind of flaw, the confused deputy problem, and it was first written up back in 1988. The new twist is that the deputy here is a language model, and a language model can be talked into things with words instead of code.

The way it was triggered looks like prompt injection. The bot reads a message as a blend of information and instructions and cannot reliably tell the two apart, so part of what looks like ordinary detail gets acted on as a command. It is the same underlying weakness as SQL injection in old web forms, where text typed into a field as data ended up running as a database command, and a language model has no clean way to separate data from instructions because making sense of natural language is the job it was built for. But the real problem was not the wording. It was that the bot acted on the request without ever confirming who was asking, and that is what really made the attack possible.

None of this should have come as a surprise. The security community has warned about exactly this setup for years. The OWASP project, which publishes widely used security guidance, released a top ten list of risks for large language model applications back in 2023, and one of the named risks is excessive agency: giving an AI too much room to act, especially the power to take actions that cannot be undone, without a person or a hard check standing in the way. Meta built the thing that list warned against.

Multi-factor authentication mattered here, but not as a guarantee. The people who shared the method on Telegram claimed it failed against accounts with a second login step switched on, and Krebs on Security read it the same way, that even a simple SMS code would probably have blocked it. Other researchers and outlets are less sure, with several reporting that the bot got past two-factor protection anyway, and at least one well-known victim who normally runs that kind of protection still lost their account. The reason lies in how account recovery works. Recovery is built to let people back in when they have lost their normal login, so it deliberately relaxes the usual checks, and that is exactly the moment the AI was making the decisions. When the bot did ask for proof, attackers got around it. In the cases where it asked for a selfie to confirm identity, they fed the victim’s public profile photos into an AI video generator and used the fake clip to pass the check. So turn it on, because it clearly made this harder and stopped the simple version of the attack, but do not treat it as foolproof.

There is a bitter irony in all of this. When Meta launched this AI support, it sold the location awareness as a security feature, telling users its systems recognized their usual devices and familiar places better than ever. That same location check is exactly what a cheap VPN defeated. What Meta presented as protection became the way in.

The people behind the takeovers claimed to be pro-Iran, and the message left on the Obama account leaned that way. Attribution is one of the hardest parts of security though. A VPN hides where someone really is, a claim posted on Telegram costs nothing, and a political image pasted onto a stolen account proves only that the account was stolen. What we can be sure of is how the attack worked. Who was really behind it is far less certain.

Meta pushed an emergency patch over the weekend, cutting off the AI flows that had direct write access to the email and password systems, and said the issue was resolved and affected accounts were being secured. The company also said there was no breach of its systems, which is true in a narrow technical sense, since no database was cracked open and no credentials were stolen from Meta directly. For someone who lost a six-figure handle over a single weekend, that wording is no comfort. The account is gone either way, and researchers were quick to point out that a logic flaw letting strangers seize accounts at will is still a failure, database intact or not.

The bigger worry is that Meta is almost certainly not the only one. The same design decision, an AI agent wired into production systems with real power to act and no firm verification step in front of it, sits in plenty of places nobody has tested yet. The fix is neither complicated nor new. An action that cannot be reversed, like rebinding the email on an account, should never run on a language model’s judgment alone. It needs a deterministic check that lives outside the model, a confirmation sent to the contact already on the account, rate limits on reset attempts, and logging that flags anything odd. That is ordinary practice for any sensitive system. The mistake was not applying it to the AI.

If you want to keep this kind of thing away from your own accounts, a few steps go a long way:

• → Turn on multi-factor authentication everywhere you can. It made a real difference even in this case, and an authenticator app or a hardware key is stronger than an SMS code.
• → Use an email address for your important accounts that you do not publish on your website, your LinkedIn, or anywhere else public. The harder it is to find, the harder it is to use against you.
• → Generate a fresh set of backup recovery codes and store them offline, in a password manager or printed and kept somewhere physical, never sitting in your email.
• → Check your active login sessions now and then and log out anything you do not recognize. On Instagram that lives under Accounts Center, Password and Security, Where You’re Logged In.
• → If a password reset email turns up that you never asked for, do not click anything inside it. Open the app yourself and check that your linked email and phone number are still your own.

This attack was social engineering, plain and simple, convincing a support channel to act for someone who had no right to ask. My ethical hacking course has a full section on exactly that, built around real cases where attackers got a help desk to reset a password and take control of a high-profile account. It also covers how they use a VPN to appear in a different location and slip past checks that assume the request comes from the real owner, and how they move through a system and escalate privileges once they are inside. The course teaches you to think like a black hat, step by step:

→ Join my complete ethical hacking course

Hacking is not a hobby but a way of life. 🎯

Sources: 404 Media | Meta Newsroom