Meta AI bot let hackers hijack Instagram accounts

Meta’s AI support assistant changed Instagram account email addresses on request, allowing attackers to reset passwords and briefly hijack several high-profile accounts. Targets included the Obama White House’s former Instagram account, beauty retailer Sephora, a senior U.S. Space Force official and security researcher Jane Manchun Wong. Meta patched the flaw over the weekend.

Attackers opened Instagram support chats claiming they were locked out of accounts they did not own and asked the AI to update the account email. The assistant applied the change and sent a one-time code to the attacker, who used it to complete a password reset. The chatbot was connected to Meta’s account management systems with the authority to make changes but lacked adequate checks to confirm the requester’s identity.

To reduce security alerts, attackers used VPNs to match the target’s geographic region and researched the target’s home city to make sessions appear legitimate. When account protections increased, some attackers provided deepfake videos created from images harvested on Instagram to pass verification steps. Security experts described the error as a “confused deputy” problem, where the AI acted on privileges without verifying the requester.

Meta introduced the AI assistant earlier this year to automate support and account recovery. Meta communications executive Andy Stone wrote on X that the company had fixed the issue and was securing impacted accounts. The company has not disclosed how many accounts were affected.

Investigators reported financial gain as a motive. Hijackers have extorted businesses that rely on Instagram for marketing and targeted short, early “OG” usernames that can be sold on underground markets. Hijacked business and celebrity accounts have been used to spread disinformation or solicit payments.

Security experts reported the technique failed against accounts protected by multi-factor authentication, including accounts using SMS codes. Instagram users can enable two-factor authentication through the app’s Settings and the Meta Accounts Center; an authenticator app generally provides stronger protection than SMS.

Researchers warned new variants are circulating. One method uses an Android emulator to run a modified Instagram client that sends prompts with hidden characters designed to manipulate the AI. More companies are adding AI assistants for customer support, and researchers noted systems need stronger verification before making account changes to reduce the risk of similar exploits.