Hackers Tricked Meta’s AI Chatbot Into Handing Over Instagram Accounts
Hackers tricked Meta’s AI chatbot into resetting Instagram passwords and hijacking high-profile accounts. Meta says the exploit is now patched.
In Brief
- Hackers tricked Meta’s AI support chatbot into resetting Instagram passwords and seizing high-profile accounts — including the Obama White House.
- The prompt-injection exploit bypassed 2FA and worked for months before Meta patched it over the weekend.
- Even basic SMS-based MFA blocked the attack, per Krebs on Security.
Hackers hijacked Instagram accounts — including the Obama White House and a U.S. Space Force chief — by tricking Meta’s AI support chatbot into handing over password reset codes. Instagram spokesperson Andy Stone confirmed the issue was patched Monday.
The attack was straightforward: use a VPN to match the target’s location, open a chat with Meta’s AI Support Assistant, and ask the bot to link a new email address to someone else’s account. The chatbot sent a verification code to the attacker’s email and presented a “Reset Password” button. No access to the victim’s actual email was needed.
Security researcher Jane Wong said her account was taken over the same way. “The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” Wong said. “Quite concerning.”
AI Chatbot as Attack Surface
The exploit circulated on Telegram channels over the weekend. Pro-Iran hackers defaced compromised accounts with propaganda and hijacked Instagram handles reportedly worth over $500,000, Krebs on Security reports. The exploit had been active since at least February.
Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, said the incident exposes a new category of vulnerability. “AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks,” Goldin said. The pattern mirrors prompt-injection attacks that have targeted AI agents in development toolchains.
The breach highlights the same structural risk flagged in the MCP design flaw debate: AI systems with privileged access to account controls are only as secure as their prompt-handling logic. Meta deployed the AI assistant to replace its notoriously poor human support infrastructure for account recovery. The bot obliged every request — including those from attackers. The Verge reports that 404 Media first documented the exploit.
FAQ
How did the Instagram AI chatbot hack work?
Attackers used a VPN to match a target’s location, then asked Meta’s AI Support Assistant to add a new email to the account. The bot sent a verification code to the attacker’s email and offered a password reset option.
Which accounts were compromised?
The Obama White House Instagram account, the account of U.S. Space Force Chief Master Sergeant John Bentinvegna, and security researcher Jane Wong’s account were among those hijacked.
Does multi-factor authentication stop this attack?
Yes. Krebs on Security reports that even the least robust form of MFA — SMS one-time codes — blocked the exploit. Accounts without MFA were vulnerable.
Has Meta fixed the issue?
Instagram spokesperson Andy Stone confirmed the vulnerability was patched and said the company is securing impacted accounts. No backend database was breached.
Accounts with SMS-based multi-factor authentication enabled were not affected by the exploit, per Krebs on Security.
