Attackers managed to hijack high-profile Instagram accounts by simply asking Meta’s AI support chatbot for access, taking advantage of a security flaw that completely bypassed identity verification.
This method, covered by both 9to5Mac and Android Authority, involved tricking Meta AI, the company’s built-in assistant, into processing account recovery requests without properly confirming the identity of the requester. Essentially, hackers didn’t need to crack passwords or intercept verification codes; they just asked politely, and the AI obliged.
How the Attack Actually Worked
This attack falls under what security researchers call “social engineering.” This approach involves manipulating a system or person into giving up something they shouldn’t, rather than forcing entry. In this case, the target wasn’t a human support agent, but Meta’s AI chatbot.
According to Android Authority, the flaw let attackers skip verification altogether. Instead of going through Instagram’s usual account recovery process—which usually requires confirming a phone number, email address, or government ID—the hackers figured out how to prompt Meta AI in a way that made it act on their behalf without those necessary checks.
Think of it like this: imagine if a bank installed an AI kiosk to help customers reset their PINs. If that kiosk didn’t properly confirm the person’s identity before making changes, anyone who walked up and said the right things could gain access to someone else’s account. That’s pretty much what happened here.
High-profile accounts were specifically targeted, likely because they hold more value—for selling, extortion, or spreading misinformation to large audiences.
Why This Is a Bigger Deal Than a Typical Hack
Most account takeovers require some effort. They often involve phishing emails, SIM swapping (where hackers convince a phone carrier to transfer a victim’s number to a hacker-controlled SIM), or buying stolen credentials from data breaches. This attack needed none of that.
The AI was the vulnerability. This marks a major shift in how security threats are evolving. As companies rush to integrate AI into various aspects of their products—including customer support for sensitive account functions—each integration becomes a potential attack surface.
Meta has been rapidly expanding Meta AI across Instagram, WhatsApp, Facebook, and Messenger. The more these AI systems can act on user accounts, the more crucial it becomes for them to verify identity before proceeding.
| Meta — Company Snapshot | |
|---|---|
| Ticker | META |
| Stock Price | $622.98 (+4.24%) |
| CEO | Mark Zuckerberg |
| Founded | 2004 |
| Headquarters | Menlo Park, CA |
| Affected Product | Instagram (Meta AI support chatbot) |
What This Means
If you use Instagram, particularly if you have a business account, creator account, or any account with a significant following, pay attention. While high-profile accounts were the main targets, this vulnerability highlights a broader risk: AI systems that can take actions on your account might not always verify your identity.
Here are some practical steps to consider right now. First, enable two-factor authentication (2FA) on your Instagram account. This setting requires a second confirmation, like a code sent to your phone, whenever someone tries to log in from a new device. While it won’t block every attack, it raises the bar significantly. Second, check which third-party apps have access to your Instagram account in Settings, and revoke access for anything you don’t recognize or use regularly. Finally, if you find yourself locked out of your account unexpectedly, go directly to Instagram’s official help center instead of relying on AI chat for recovery steps.
As of now, Meta hasn’t publicly confirmed any patch or fix.
Community Reactions
“This is exactly what everyone warned about when companies started letting AI handle account support. The AI doesn’t actually understand consequences, it just pattern-matches to ‘helpful response.’
“Bro they literally just ASKED for the account and got it?? I’ve been locked out of my own page for three months going through official recovery and some random hacker just chats the bot and wins. Wild.”
What To Watch
- Meta’s official response: The company hasn’t issued a public statement regarding the vulnerability or confirmed if it has been fixed. Keep an eye out for an official security advisory soon.
- Regulatory attention: Data protection authorities in the EU and UK have acted quickly on Meta security issues in the past. If high-profile accounts in those regions were affected, a formal inquiry could happen.
- Broader AI support security: This incident might prompt other platforms that use AI in account support, like Google, Apple, and TikTok, to check for similar gaps in their systems.
- Instagram’s recovery process: Meta may temporarily limit what Meta AI can do in support contexts while they implement a more permanent fix. If you’re currently in an account recovery process, expect possible delays.
Sources: 9to5Mac | Android Authority
Daniel Park
Daniel Park covers AI, cloud infrastructure, and enterprise software for Explosion.com. A former software engineer who transitioned to technology journalism 5 years ago, Daniel brings technical depth to his reporting on artificial intelligence, startup funding rounds, and the companies building the future of computing. He breaks down complex AI developments and business strategies into clear, actionable insights for readers who want to understand how technology is reshaping industries.
