Meta patches AI support bot flaw used to hijack Instagram accounts

In short: Hackers reportedly used Meta’s AI support chatbot to take over Instagram accounts, and Meta says it has fixed the problem.

What happened

Meta’s AI-powered support chatbot for Instagram was exploited in a way that let attackers hijack accounts, according to reporting from 404 Media and The Verge. A video shared on Telegram showed a hacker asking the chatbot to link a new email address to someone else’s Instagram profile.

Once the email was changed, the attacker could request a password reset and lock out the real owner. It is similar to changing the mailing address on someone’s bank account, and then using that new address to receive the reset letter.

Meta launched the AI support assistant in March to help with account recovery tasks like password resets and setting up two-factor authentication. Two-factor authentication is an extra login step, like a one time code sent to your phone.

The reports say attackers targeted valuable accounts, including short usernames, and used tools like a VPN. A VPN is a service that can make it look like your internet connection is coming from another place.

Meta spokesperson Andy Stone said on X that the issue has been resolved and that Meta is securing impacted accounts.

Why it matters

If a support tool can be tricked into changing an account’s email, it can turn a simple chat request into a full account takeover. For everyday users, this is a reminder to turn on two-factor authentication where possible, and to keep an eye on unexpected login and password reset alerts.

Source: The Verge AI