What Happened: An AI Shortcut Became an Account Backdoor
This incident is an Instagram account takeover attack in which hackers abused Meta’s AI support chatbot to change email addresses and reset passwords without needing the victim’s credentials, showing how an AI security vulnerability in support workflows can turn polite chat prompts into full account compromise. Reports on Reddit and X described people seeing password reset attempts, repeated logouts, and then losing control of their profiles. Security researcher Jane Wong said “the password got changed without my knowledge,” highlighting how invisible the attack felt to victims. High‑profile accounts, including the Obama‑era White House handle and the Instagram of U.S. Space Force Chief Master Sergeant John Bentivegna, were among those hijacked. Many of the stolen profiles had short, distinctive usernames that are highly sought after, making this Meta AI flaw a gift to attackers looking for valuable “OG” accounts.
How the Chatbot Password Reset Exploit Worked
The attack chain was worryingly simple. First, hackers used a VPN to spoof a location near the target, helping them slip past Instagram’s usual login checks. Then they opened Meta’s AI Support Assistant and claimed to be the account owner. By asking the chatbot to attach a new email address to the victim’s Instagram profile, they shifted a key recovery channel into their control. The bot sent a verification code not to the real owner, but to the attacker-controlled inbox. Once the hacker read that code back in chat, the assistant displayed a “Reset Password” button, completing the account takeover without any password, phone, or existing email access. In some cases, this chatbot password reset route also bypassed two-factor authentication, turning a simple conversation into a full account takeover attack.
The Patch Problem: Frontend Fix, Backend Risk
Meta publicly said the issue was resolved and that it was securing affected profiles, yet people continued to see their Instagram account hacked after that announcement. Reverse engineers and developers claimed Meta removed a visible “Get Support” button from the interface but left the underlying API endpoints open to scripted prompts. According to Android Authority, one of Jane Wong’s secondary accounts and the handle of Esther Crawford were both hijacked after Meta’s first fix. That suggests the initial patch focused on the user interface, not the deeper logic that allowed the bot to change emails and trigger password resets. Meta later started emailing users it believed were impacted and warning that they might see password reset prompts or security questions as accounts were restored, indicating that the company was still cleaning up active and attempted takeovers.
Why AI Assistants Are Dangerous in Account Recovery
Security experts compared Meta’s AI assistant to an inexperienced employee handed powerful tools without clear guardrails. The chatbot was deployed to provide around-the-clock account help, but it was allowed to perform sensitive actions like changing login emails and initiating password resets without strong proof of identity or human review. That design choice turned conversational AI into an unintentional insider who trusted whatever the attacker claimed in chat. One expert said Meta’s “move fast and break things” mindset backfired when the bot could access and change account settings with weak constraints. Because no human at Meta joined these conversations, there was no extra check before the system handed control of a profile to someone new. The lesson is blunt: AI agents wired into authentication workflows can magnify a single logic mistake into thousands of automated account takeover opportunities.
What You Should Do Now if You Use Instagram
Even though Meta says it has fixed the flaw, users should treat this as a warning about the fragility of AI-driven support systems. First, double-check that your email and phone number in Instagram settings are correct and still under your control, especially if you own a short or high-profile handle. Turn on two-factor authentication and use an authenticator app rather than SMS where possible. Watch for unfamiliar login alerts, password reset emails you did not request, or prompts from Meta about security questions, which may indicate your account was in the risk window. If your Instagram account hacked story starts with being logged out or seeing unknown devices, act fast: attempt account recovery, report the takeover through official help channels, and lock down the email inbox tied to the profile. Avoid sharing recovery codes or screenshots with anyone claiming to be support in unsolicited messages.
