Hackers Tricked Meta's AI Support Bot Into Handing Over Instagram Accounts

What the attack actually looked like

Source: 404media.co

The exploit was deceptively simple. A video shared on Telegram over the weekend showed the full process: connect via a VPN with an IP address near the target account holder's usual location, initiate a password reset for the target's Instagram account, then route the request through Meta's AI support assistant chatbot. Once in conversation with the bot, the attacker told it to link the account to a new email address. The bot complied, sent a one-time verification code to that new address, and the attacker used it to complete the password reset - locking the original owner out entirely.

No code was injected into backend systems. No database was breached. The attacker simply asked the bot to do something it was technically capable of, but should never have done without verified account ownership. Demonstrations shared on Telegram showed the bot processing the requests without raising flags or escalating to a human reviewer.

High-profile victims, a half-million in handles

The compromised accounts included the Instagram handle for the Obama White House - inactive since 2017 - which was briefly defaced with pro-Iranian images and messages. The profile of U.S. Space Force Chief Master Sergeant John Bentivegna was also taken over, along with the account of prominent security researcher Jane Wong. Reports from 404 Media identified beauty retailer Sephora and a collection of short, high-value Instagram handles that hackers on Telegram claimed carry a combined resale value above $500,000.

The instructions originated from a pro-Iranian group. The method required a VPN and conversational patience with a chatbot - no specialized technical knowledge, no zero-day exploit, no credential phishing.

The real flaw: AI agents with write access to sensitive credentials

Source: krebsonsecurity.com

This is the underlying problem. Meta deployed its AI assistant to handle common account recovery tasks - re-linking a lost email address, triggering an instagram password reset, verifying account ownership - because its human support infrastructure is widely criticized as slow and unresponsive. The AI was built to reduce friction for legitimate users locked out of their accounts. Instead, it became a faster attack path for people who were not.

The specific weakness was location-based verification. Meta's system used device recognition and IP proximity to the account's typical location as part of its security model. Attackers bypassed it entirely with a VPN pointed at the target's city.

Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, framed the broader issue clearly: AI chatbots create new attack surfaces that mirror the social engineering risks of human support staff, but at scale and without the intuition a trained employee might apply to a suspicious request. As more platforms move sensitive account recovery operations to AI agents, incidents like this are likely to multiply.

MFA stopped it cold

The exploit had one hard limit: multi-factor authentication. According to the hackers themselves, the method failed against every account with any form of MFA enabled - including the weakest option, an SMS-based one-time code. Accounts without MFA that had the AI support option active were vulnerable to a full takeover in minutes.

For Instagram users, the immediate action is straightforward: enable MFA. Instagram offers SMS codes, authenticator apps, and security keys. Any of them would have stopped this specific attack. In an environment where prompt injection attack techniques are increasingly being applied to AI support systems, a second authentication factor is one of the few reliable defenses that does not depend on the AI making good judgment calls.

Meta patched it - but the question stays open

Meta pushed an emergency patch over the weekend after the wave of instagram hack incidents went public. Andy Stone, Meta's Vice President of Communications, stated on X that the issue had been resolved and that the company was securing affected accounts. Meta confirmed no backend database was breached - the attack operated entirely through the AI's legitimate support interface.

The patch closes this specific vector. But the design question it surfaces is not resolved. Giving a meta ai chatbot the authority to add email addresses and trigger credential resets - without a more robust ownership verification step - is an architectural choice that will face more scrutiny now. Every platform that routes account recovery through an AI agent faces a version of the same tradeoff: the easier the recovery flow, the easier the takeover.

What to do right now

Source: 2stable.com

• Enable MFA on your Instagram account - go to Settings > Accounts Center > Password and security > Two-factor authentication.
• Use an authenticator app or security key rather than SMS if possible; these resist SIM-swapping in addition to AI-based attacks.
• Review which of your accounts use AI-powered recovery flows and assume they carry similar risk if MFA is not enabled.
• For operators and developers building AI support agents: avoid giving the agent write permissions to credentials without a strong, independent ownership verification step that the AI itself cannot bypass.

Sources