Hackers asked Meta AI support to hijack Instagram accounts, and it said okay

Meta has fixed an Instagram security issue after hackers reportedly used the company's AI support assistant to take over accounts by asking it to change the email address linked to a target profile.

404 Media first reported the details, and TechCrunch later said it had verified one part of the demo: the attacker-controlled mailbox did receive the verification code. Meta spokesperson Andy Stone said the issue had been resolved, according to The Guardian. It is still not clear how many accounts were affected.

The hacked accounts reportedly included high-profile and valuable Instagram profiles, including the Obama-era White House account, Sephora, and the account of U.S. Space Force chief master sergeant John Bentivegna. Some reports also mention short, high-value Instagram handles being listed in Telegram groups.

This is not a normal chatbot mistake. The important part is that Meta's AI support assistant was not just answering a question. It apparently had enough access to help change the recovery path of an account.

The reported attack was surprisingly simple

According to the reports, attackers did not need the victim's password or access to the original email account.

The reported flow was fairly ordinary at first. The attacker used a VPN so the login attempt looked like it was coming from a more believable location, then went into Meta’s AI support flow and asked for a new email address to be added to the Instagram account. The bot then sent a verification code to the attacker-controlled email address. After the attacker pasted that code back into the chat, the flow exposed a password reset option.

TechCrunch said it was able to verify that the public mailbox shown in one demonstration did receive the verification code.

That is why the story spread so quickly. It does not sound like a clever exploit chain. It sounds like account recovery became a conversation, and the wrong person was allowed to finish the conversation.

Here's the step-by-step demo of the exploit in action.

Developers saw an agent-permissions problem

The story became the top item on Hacker News, crossing 2,000 points and hundreds of comments. The discussion there was not only about Meta. A lot of it was about how AI agents should be designed when they can call privileged tools.

One of the clearest comments argued that for AI agent security, developers should look past the agent and focus on the tools it can access. If an attacker can talk to the agent, assume the attacker may eventually reach those tools unless the tools themselves enforce the right checks.

Reddit discussions in r/technology and r/cybersecurity made a similar point in rougher language. The issue is not whether a chatbot can be tricked by a prompt. The problem starts when that bot is allowed to change login emails, trigger password resets, or bypass recovery checks without another layer of verification.

Prompt safety still matters. But for account ownership, it cannot be the main security boundary.

Account recovery is not ordinary support

Meta introduced its AI support assistant as a way to provide faster help for Facebook and Instagram users. In that product messaging, Meta described the idea as giving users "solutions, not just suggestions", including actions around account access and password resets.

That is exactly where the risk changes.

For many Instagram users, an account is not just a profile. It is a creator business, a brand channel, a customer support surface, a social identity, and sometimes a valuable handle. Losing it can mean losing income, audience trust, years of posts, and access to people who may not be reachable anywhere else.

AI support can be useful for routine problems. It can explain policies, route tickets, summarize past actions, and help users navigate bad UI. But account recovery is different. Once the system is allowed to attach a new email or open a password reset path, it is no longer just support. It is control over ownership.

Meta says this particular issue has been fixed. The larger question is what AI support agents should be allowed to do without human review, time delays, existing-email confirmation, or stronger identity checks.

That question will matter far beyond Instagram. Any company adding AI to customer support will have to decide whether the assistant is only allowed to explain things, or whether it can actually change important state. The second version is much more useful. It is also where the security model has to be much harder.