Hackers didn't hack Instagram; they just asked Meta AI

Hackers have reportedly found a way to exploit Meta’s AI-powered assistant to take control of high-profile Instagram accounts, including those linked to public figures, government organizations, and holders of valuable usernames.

According to online reports, attackers persuaded the chatbot to change account recovery email addresses, allowing them to reset passwords and take control of targeted accounts before Meta patched the vulnerability.

Key takeaways

• Attackers allegedly abused Meta’s AI support chatbot to change recovery email addresses on Instagram accounts.
• High-profile accounts, including government-affiliated and celebrity-related profiles, were reportedly compromised.
• Meta says it has fixed the vulnerability and is securing affected accounts.
• Multi-factor authentication (MFA) reportedly prevented many takeovers.

What happened?

Meta’s AI support assistant allegedly became an unexpected entry point for account takeovers after attackers discovered they could persuade the chatbot to modify account recovery information.

According to 404 Media, hackers used the AI-powered support system to change the email addresses associated with targeted Instagram accounts. After they gained control of the accounts, they could initiate password resets and access the victim’s account.

The vulnerability reportedly remained active for months until several high-profile account compromises attracted widespread attention. Meta subsequently implemented an emergency fix and stated that the issue had been resolved.

How hackers allegedly exploited Meta’s AI support assistant

The reported attack chain was surprisingly simple. Attackers would use a VPN to look like they were in the same geographic region as the target account and start an Instagram password recovery process.

They then escalated the discussion to Meta’s AI support chatbot and requested to change the account’s email address. Following the regular password reset process, the attackers would gain control of the account.

The attack did not rely on sophisticated malware, zero-day exploits or technical vulnerabilities in Instagram itself. Instead, attackers manipulated the AI system to perform sensitive account recovery actions.

Which accounts were affected?

Reports linked the exploit to several high-profile account compromises. According to published accounts, affected profiles included the Barack Obama White House Instagram account, The Chief Master Sergeant of the Space Force account, and many “OG” Instagram usernames.

Security researchers also reported that attackers targeted rare, highly desirable usernames that can command significant prices on underground markets.

How users can protect their accounts

Although Meta has reportedly fixed the vulnerability, users should still follow account security best practices.

• Enable multi-factor authentication

The exploit generally failed against accounts protected by MFA, including SMS-based authentication.

• Use a unique password

Avoid using the same password across multiple services. Password reuse remains one of the most common causes of account compromise.

• Review account recovery options

Verify that your recovery email address and phone number remain accurate and accessible.

• Monitor login alerts

Most major platforms provide notifications when new devices log in or account settings change.

• Watch for suspicious activity

Unexpected password reset emails, login notifications, or profile changes may indicate that someone is attempting to access your account.

FAQ

What happened?

Hackers reportedly exploited Meta's AI support chatbot to change recovery email addresses on Instagram accounts and gain control of them.

Did Meta fix the issue?

Yes. Meta said it patched the vulnerability and is securing affected accounts.

Why does this matter?

The incident shows how AI systems with elevated privileges can become attack targets if they can perform sensitive account-management tasks.

Would multi-factor authentication have helped?

Yes. Researchers reported that MFA prevented many takeover attempts from succeeding.

How can users protect their accounts?

Enable multi-factor authentication, use a strong unique password, and regularly review account recovery settings.