The Evidence Pack: How Hackers Exploited Meta's AI Support Bot to Hijack Instagram Accounts

Over a single weekend in late May 2026, a string of high-profile Instagram accounts—including the dormant Obama White House profile, beauty retailer Sephora, and a senior U.S. Space Force official—were suddenly hijacked. The attackers did not use a sophisticated zero-day exploit or purchase stolen credentials on the dark web. Instead, they simply asked Meta's own artificial intelligence support chatbot to hand over the keys, and the bot cheerfully complied.[1][2]

The incident represents a watershed moment in cybersecurity, illustrating the severe risks of granting autonomous AI agents administrative power over digital identities. As technology giants race to replace human customer service representatives with large language models, the help desk has inadvertently transformed into a primary attack surface.[1][3]

The vulnerability stems from a major platform update initiated earlier in the year. In March 2026, Meta rolled out an AI-powered support assistant across Facebook and Instagram, marketing the feature as a frictionless solution for account recovery. The product page promised "Solutions, not just suggestions," aiming to eliminate the long wait times traditionally associated with human support queues.[1][4]

To fulfill this promise, Meta's engineers wired the chatbot directly into the company's account management backend. The AI was granted the authority to execute sensitive identity actions, including modifying email addresses and triggering password resets, fundamentally altering the platform's security architecture.[2][5]

Hackers quickly discovered that this helpful bot could be socially engineered. The attack methodology, which circulated widely in Telegram channels frequented by security researchers, required almost no technical sophistication. The first step involved reconnaissance: attackers identified the target account owner's home city and used a Virtual Private Network (VPN) to spoof that geographic location.[1][3]

By matching the target's geographic region, the attackers successfully evaded Instagram's automated security alarms. When the hacker opened a support chat, the system's location-based heuristics assumed the request was originating from the legitimate user, establishing a baseline of misplaced trust.[2][4]

Once connected to the AI assistant, the attacker would claim they were locked out of their account and request that a new, attacker-controlled email address be linked to the profile. The bot, designed to prioritize user assistance and lacking the ability to verify identity out-of-band, accepted the premise of the request without challenging the user's authenticity.[1][5]

The critical failure occurred during the verification phase. The AI bot sent a standard eight-digit verification code—but it sent that code directly to the new email address the attacker had just provided in the chat. The attacker simply checked their own inbox, pasted the code back into the chat window, and the bot verified the transaction.[3][5]

With the new email address successfully linked, the AI assistant surfaced a "Reset Password" button. The attacker clicked it, locked the original owner out, and gained total control of the account. The entire process took minutes and bypassed traditional safeguards, including Two-Factor Authentication (2FA), because the AI possessed the administrative privileges to override them.[1][4]

Cybersecurity professionals refer to this structural vulnerability as the "confused deputy" problem. Coined in the 1980s, the term describes a scenario where a highly privileged computer program is tricked by a malicious party into misusing its authority. The deputy—in this case, the AI bot—is confused about whose orders it is actually following.[2][6]

Large language models exacerbate the confused deputy problem because they operate via natural language interfaces. Unlike traditional software that requires specific, rigid inputs, AI chatbots are designed to interpret intent and accommodate user requests. This flexibility makes them highly susceptible to prompt injection, a technique where malicious instructions are disguised as benign conversation.[6]

Aiden Sinnott, a principal threat researcher at Sophos, noted that this type of attack will become increasingly common as more online services deploy chatbots without adequate protections. The AI's mandate to be helpful fundamentally conflicts with the skepticism required for secure identity verification.[6]

The timing of the exploit coincides with broader corporate restructuring within the tech industry. In May 2026, Meta cut approximately 8,000 jobs as part of a strategic pivot toward artificial intelligence, heavily reducing its human support and risk-management staff. Critics argue this reduction removed the critical human-in-the-loop oversight necessary to catch anomalous account recovery requests.[1][4]

Following the public exposure of the exploit by outlets like 404 Media and TechCrunch, Meta deployed an emergency patch over the weekend to close the vulnerability. Company representatives confirmed that the issue was resolved and that impacted accounts, including the high-profile targets, were being secured and restored to their rightful owners.[2][3]

Despite the patch, the incident leaves a lasting impact on how the industry views automated support. Organizations deploying AI in sensitive workflows are making a calculated bet that efficiency gains outweigh governance gaps. The Meta exploit serves as a stark reminder that AI systems must never be allowed to execute irreversible identity actions without independent, cryptographic authorization controls.[5][6]