Meta $META's AI support chatbot was exploited by hackers to take over a wave of Instagram accounts, including those belonging to high-profile users, before the company patched the vulnerability, according to TechCrunch.
Crucially, the method worked without the attacker ever controlling or accessing the email address the victim had on file with Instagram. To execute the takeover, an attacker would initiate a chat with Meta's AI Support Assistant and instruct it to register a different email address on the victim's account. A verification code would arrive at the address the attacker had provided; relaying that code back to the bot was enough to unlock a password reset prompt. Rounding out the technique was a VPN connection set to the victim's geographic region — since Meta's support system used physical location as an authorization signal, spoofing that detail was sufficient to keep Instagram's automated defenses from intervening, according to Engadget.
Among the compromised accounts were an Obama-era White House handle that had been inactive since 2017, the Instagram account of U.S. Space Force Chief Master Sergeant John Bentivegna, beauty retailer Sephora, and security researcher Jane Wong. "The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday," Wong told TechCrunch. "Quite concerning."
According to 404 Media, Telegram channels used by security researchers and hacking communities had been passing around video and image documentation of the technique. The same outlet noted that chatter about the flaw on Telegram dates back to March, which is also when Meta launched its AI support feature broadly across Facebook and Instagram — a rollout that included the ability to reset passwords and perform other sensitive account tasks.
On Monday, Andy Stone, Meta's VP of Communications, posted on X $TWTR to confirm a fix had been applied. "This issue has been resolved and we are securing impacted accounts," he wrote. It is unclear how many accounts were accessed before the patch was applied.
The episode highlights the risks of delegating account security and recovery functions to an AI chatbot. Victims of the account takeovers told 404 Media they were left without any path to reach a live person for help recovering access. Meta did not provide additional detail on the nature of the vulnerability or who was responsible for the account takeovers.
