A critical flaw in Meta's AI-powered support chatbot allowed hackers to hijack high-profile Instagram accounts by simply asking the bot to change account credentials.
The push to replace human customer service with conversational artificial intelligence has backfired spectacularly for Meta. A vulnerability in the company's AI support assistant allowed bad actors to bypass security protocols and seize control of prominent Instagram accounts, including the Obama-era White House page and the account of U.S. Space Force Chief Master Sergeant John Bentivegna. The flaw turns what was supposed to be a frictionless support tool into an open door for social engineering.
According to a report from Krebs on Security, the exploit is remarkably low-tech. Instead of breaking encryption or breaching databases, attackers simply opened a chat with Meta's AI support assistant and asked the bot to add a new email address to the target account. The chatbot then sent a verification code to the attacker-controlled email. Once the hacker shared that code back with the bot, it presented a "Reset Password" button, allowing the attacker to set a new password and lock out the real owner. To avoid triggering Instagram's automated protections, hackers used a VPN to spoof the target's presumed location before initiating the conversation.
The friction reduction trap
This incident exposes the fundamental danger of letting large language models manage critical security infrastructure. Meta introduced the conversational AI layer earlier this year to solve a persistent corporate headache: Instagram's historically congested human support ticketing system. The assistant was designed to reduce friction for legitimate users stuck in account-access limbo by automating tasks like updating email addresses and resetting passwords.
The exact trait that makes generative AI pleasant for consumers, its eager politeness and desire to assist, makes it highly susceptible to manipulation. There is no adversarial resistance baked into a system built to be helpful. When a chatbot's default posture is accommodation, a carefully worded request looks identical to a legitimate one.
The real-world fallout was immediate and highly visible. Once inside the accounts, attackers defaced profiles with geopolitical propaganda and changed the underlying credentials to lock out actual owners. Threat researchers monitoring dark web marketplaces noted that step-by-step video tutorials demonstrating the exploit circulated rapidly on Telegram channels, where compromised high-value short usernames were put up for resale. As 404 Media reported, some of these handles carried an estimated resale value exceeding half a million dollars.
A patched vulnerability but a wider warning
Meta has scrambled to contain the damage. Vice President of Communications Andy Stone confirmed on social media that the issue has been resolved and the company is working to secure the affected accounts. Security analysts report that an emergency patch stripped the AI assistant of its ability to alter account recovery routing parameters without additional verification layers.
While the immediate loophole is closed, the breach stands as a stark warning for any enterprise rushing to hand over administrative controls to automated systems. AI models are currently unequipped to handle sensitive authentication workflows without strict, hard-coded guardrails. When an algorithmic layer can be talked into bypassing identity verification, the entire security perimeter collapses.
For users, the single most effective shield during this exploit was robust multi-factor authentication. Hackers on Telegram openly admitted that their routine failed entirely against any target with an authenticator app or hardware key tied to the profile. That detail alone should settle any remaining debate about whether MFA is optional.
The broader lesson for the tech sector is not that AI support tools are inherently dangerous, but that deploying them over security-critical functions without rigorous red-teaming is reckless. Convenience and security have always existed in tension. Meta's chatbot breach is a vivid reminder that when companies prioritize the former at the expense of the latter, the consequences land squarely on the users they were trying to help.
Also read: Apple positions local silicon as the ultimate privacy moat ahead of WWDC 2026 • Apple shifts artificial intelligence narrative to device level before WWDC • Florida sues OpenAI and CEO Sam Altman over deceptive safety claims
