Meta’s AI support chatbot had a serious security flaw that allowed hackers to take over any Instagram account without needing a password. This exploit was already in use for stealing and reselling high-profile accounts before Meta managed to patch the issue.
How the Hack Worked
The attack was surprisingly straightforward. A hacker would initiate a conversation with Meta’s AI support assistant and request a change to the email address linked to someone else’s Instagram account. Since the chatbot didn’t verify identities, it complied. After changing the email, the hacker could initiate a standard password reset to that new email, locking the original owner out of their account.
Imagine calling a locksmith and asking them to rekey your neighbor’s door. A responsible locksmith would ask for proof of ownership. Unfortunately, Meta’s AI chatbot didn’t require any verification at all.
A video shared on Telegram demonstrated the exploit, showing the hacker walking through the steps. According to Ars Technica, the stolen accounts — especially short, recognizable usernames often referred to as “OG handles” — were being resold before Meta identified the problem and closed the loophole.
Who Was Affected
Reports suggest that high-profile and celebrity Instagram accounts were among those targeted. Short, desirable usernames hold real value in certain online communities, giving hackers a financial incentive beyond mere mischief. The Verge noted that 404 Media first reported the exploit after the Telegram video circulated.
Meta claims it has fixed the vulnerability and is working to secure affected accounts, according to Engadget. However, the company hasn’t disclosed how many accounts were compromised.
| Company | Meta |
|---|---|
| Ticker | META |
| Stock Price | $600.47 (down 5.07% on the day) |
| CEO | Mark Zuckerberg |
| Headquarters | Menlo Park, CA |
| Founded | 2004 |
| Accounts Confirmed Compromised | Not disclosed by Meta |
| Patch Status | Fixed (date not specified) |
Why an AI Chatbot Could Do This at All
The main issue here is that Meta’s support chatbot could make real changes to accounts — like updating an email address — without requiring users to prove ownership. Most sensitive online actions need some form of “authentication” (confirming your identity, often with a password or a code sent to your phone). In this case, the AI skipped that crucial step.
This highlights a known risk with AI systems linked to live tools and databases. When an AI can perform tasks — not just respond to queries but take actions — the potential for security issues increases dramatically. In this instance, the chatbot was essentially handing out a master key because no one programmed it to check for ID first.
What This Means for Everyday Users
If you have an Instagram account, especially one with a unique username or a large following, take this as a reminder to secure your account. Here are some steps to consider:
- Enable two-factor authentication (2FA) — This adds a second confirmation, such as a text message or app code, every time someone tries to log in. It provides a strong barrier, even if a hacker changes your email.
- Check your linked email address — Go to your Instagram settings and confirm that the email on file is yours and accessible.
- Review your login activity — Instagram allows you to see which devices have recently accessed your account. Any unfamiliar devices should raise a red flag.
Even though Meta claims the vulnerability is patched, accounts that were compromised may still need assistance. The company is working on restoring access for affected users, but there’s no timeline provided yet.
Community Reaction
“So Meta built an AI that could change your account email with zero verification and nobody tested this before shipping it? This is embarrassing.”
“Imagine losing your account with 500k followers because a chatbot just… handed it over to someone who asked nicely. Wild.”
What To Watch
- Meta’s account recovery process — The company claims it is working to restore hijacked accounts but hasn’t provided a timeline or guidance for affected users.
- Regulatory attention — Security incidents involving AI systems are attracting more scrutiny from lawmakers in the US and EU. This incident could fuel broader discussions about necessary safeguards for AI support tools before they gain the ability to modify user accounts.
- Other platforms — If Meta’s chatbot had this flaw, it raises questions about whether other companies with AI support tools have similar verification gaps. Expect security researchers to investigate.
- META stock — Shares were already down 5.07% to $600.47 when this news broke. Ongoing negative coverage around AI safety could put further pressure on the stock.
Ava Mitchell
Ava Mitchell is a digital culture journalist at Explosion.com covering social media platforms, streaming services, and the creator economy. With 4 years reporting on TikTok, Instagram, YouTube, and the apps that shape daily life, Ava specializes in explaining platform policy changes and their impact on everyday users. She previously managed social media strategy for a tech startup, giving her firsthand experience with the platforms she now covers.
