What the Instagram AI chatbot vulnerability was and why it matters
The Instagram AI chatbot vulnerability was a security flaw in Meta’s automated support assistant that allowed attackers to hijack Instagram accounts by persuading the bot to change account recovery details and reset passwords without needing the real owner’s credentials, email, or phone, turning customer support automation into an active account takeover mechanism. In practice, this meant an attacker could initiate an account recovery flow through Meta’s AI support chatbot, attach a new email address they controlled, receive a verification code at that email, and then use the chatbot’s own interface to trigger an Instagram password reset. Because the system treated the AI assistant like a trusted help agent, key checks that should have verified the true account owner were missing or too weak. The result was a path for Instagram account hijacking that abused Meta’s own tools instead of breaking past technical defenses.
How attackers weaponized Meta’s AI to steal Instagram accounts
Attackers did not crack passwords or bypass complex encryption; they talked Meta’s AI into doing the hard work. Demonstrations shared on X showed hackers starting with a VPN to imitate the victim’s region and avoid location-based fraud checks, then opening a chat with Meta’s AI Support Assistant. From there, the prompt was simple: ask the bot to attach a new email address to the target’s Instagram account. The AI complied and sent a verification code to the attacker-controlled inbox instead of the real owner’s email. Once the attacker read that code back to the chatbot, the assistant displayed a convenient “Reset Password” button that completed the takeover. According to TechCrunch’s reporting cited by several outlets, the public email inbox used in one test did receive the verification code, confirming that this password reset exploit worked as shown in the videos.
High-profile hijacks and the limits of Meta’s initial fix
The AI chatbot vulnerability did not only affect small or inactive profiles. Reports and screenshots shared online indicated that accounts such as Barack Obama’s dormant White House handle, the beauty retailer Sephora, and U.S. Space Force chief master sergeant John Bentivegna’s personal profile were caught up in the wave of Instagram account hijacking. Security researcher Jane Manchun Wong also reported that her own account password was changed without her knowledge amid repeated reset attempts. Meta’s vice president Andy Stone wrote on X that “this issue has been resolved and we are securing impacted accounts,” and the company removed the prominent “Get Support” button that had surfaced the AI assistant workflow. Yet developers and reverse engineers later argued that Meta’s fix focused on the visible interface while the underlying API endpoints used by the AI chatbot remained exposed to scripted prompts and automated abuse.
Why the backend risk persists: AI support as an inexperienced employee
Cybersecurity specialists compared the Meta AI assistant to an inexperienced human support agent given too much power and too few verification rules. The bot was launched to provide 24/7 help with password and profile issues, but the account recovery flow appears to have lacked strict checks that would confirm ownership before changing sensitive data like email addresses. Some victims, including Wong, say they were compromised even with two-factor authentication enabled, suggesting that the AI-driven email change path could sidestep normal login protection once the chatbot accepted the attacker’s prompts. Researchers on forums and Telegram argued that while Meta has removed some user-facing access points, the AI chatbot vulnerability still exists behind the scenes as long as backend endpoints can execute high-risk actions on the basis of weak or manipulated prompts. In this view, the patch closed a door but left a window open.
Lessons for users and platforms deploying AI support bots
This incident is a warning about the risks of outsourcing security-critical workflows to AI without strict guardrails. AI support systems must be treated like powerful internal tools, not friendly chat widgets, and should never be able to change recovery emails or initiate password resets without strong, independent verification that the true account owner is present. For users, the main defenses against Instagram account hijacking remain familiar: enable multi-factor authentication, monitor email and login alerts, and respond quickly to unexpected password or email change notifications. But the deeper fix sits with platform owners. They need clear limits on what AI agents can see and change, thorough testing of edge cases and prompt abuse, and fully secured backend APIs. Without that, each new AI helper risks becoming a new password reset exploit for attackers to discover.
