Hundreds of Instagram accounts — including the dormant Obama White House profile, the official Sephora page, and the Instagram of U.S. Space Force Chief Master Sergeant John Bentivegna — were hijacked over the weekend using a shockingly low-effort method: attackers simply asked Meta's AI support chatbot to hand over access. It complied.
The critical logical flaw in Meta's AI-powered Instagram account recovery assistant allowed threat actors to redirect password reset links to unauthorised email addresses, effectively seizing control of high-value Instagram accounts without ever triggering a traditional two-factor authentication challenge.
How the Attack Worked
The method required no malware, no phishing kit, no access to the victim's inbox. Hackers tricked Meta's AI support chatbot into adding their email to victims' Instagram accounts and resetting passwords. The hacker simply asked the chatbot to add a new email address to someone else's account.
The full attack chain was almost insultingly simple. The exploit appears to have involved using a VPN connection with an IP address in or near the target's usual hometown, requesting a password reset, and then choosing to chat with Meta's AI support assistant.
From there, attackers told the bot to link the target account to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset.
The AI then sent an eight-digit code to the attacker's email address. The attacker entered that code and received a password reset link, giving them full access to the account. At no point did the legitimate owner receive an SMS alert, push notification, or warning of any kind.
The vulnerability had reportedly been quietly circulating in underground Telegram channels since at least late March. Neowin found that the exploit had been active in the wild for months, going as far back as February of this year, with hackers compromising thousands of accounts.
A Textbook "Confused Deputy" Problem — With an AI Twist
Security researchers were quick to identify what went wrong at the architectural level. The AI assistant held privileged write access to account management APIs that an average user could not invoke directly. An attacker with zero credentials fed the assistant a natural language command, and the assistant, lacking any deterministic authentication checkpoint, executed the API call without question.
This is technically known as a "confused deputy" vulnerability — a privilege escalation class first documented in 1988 — but with a dangerous modern twist. What made this structurally worse than a traditional confused deputy scenario is that the "deputy" here was a probabilistic language model, not a deterministic application. A traditional program requires bypassing hard-coded conditional logic; an LLM can be redirected with words alone.
Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, put it plainly: "AI chatbots create interesting new attack surface, and we're likely going to see a lot more of these kinds of attacks."
A Second Bypass — Even With MFA Enabled
While Meta's emergency patch late Friday night blocked the primary exploit, in some cases, users were asked to verify their identity with a selfie — which was bypassed using AI.
Reports circulating on social media and security forums describe a second method where attackers grabbed a publicly visible photo of the target, ran it through an AI video generator to produce a deepfake selfie, and submitted it to Meta's video verification flow. Prominent developer Gergely Orosz noted that Meta — a company going all-in on AI — somehow missed the memo on how AI can generate images and videos that renders "take a selfie" verification utterly useless.
This second method reportedly affected even accounts with MFA enabled, raising questions about whether Meta's patch was truly comprehensive.
Meta's Response and the Bigger Problem
Meta VP of Communications Andy Stone stated: "This issue has been resolved and we are securing impacted accounts." Internally, however, the incident landed awkwardly: it surfaced eleven days after Meta cut roughly 8,000 employees — including staff from its integrity division and cybersecurity teams specifically.
The stolen accounts moved fast. Premium short-handle accounts such as @hey and @jowo, valued at over $1 million combined, were quickly flipped through private Telegram channels before Meta could intervene.
What You Should Do Right Now
The primary exploit only worked on accounts without multi-factor authentication. Security experts strongly recommend enabling app-based 2FA — such as Google Authenticator or Authy — instead of SMS-based verification. Additionally: use a private email address not publicly linked to your Instagram profile, generate fresh backup recovery codes and store them offline, and audit active login sessions under Settings → Accounts Center → Password and Security.
Account recovery is specifically attractive as an attack target because it's designed to work when normal authentication is unavailable — meaning any AI-mediated recovery flow is already operating in a context where the system is relaxing its usual verification requirements, making it a natural target for exploitation. Meta may be the first major platform caught in this trap. It almost certainly won't be the last.