Meta’s March AI Decision Opened Instagram to Account Hijackers

Meta’s AI Support Assistant went live across all Instagram accounts on March 20, 2026, with explicit permission to handle password resets and email changes from start to finish. Seventy-three days later, that permission had become the attack surface, and high-profile accounts including the dormant Obama White House profile were being handed to anyone who knew the right sequence.

Two separate failures converged over the final weekend of May. Attackers found the assistant would add a new email address to any account it was told to, no proof of ownership required. A deepfake video bypass defeated the selfie verification check on accounts that had it enabled. Meta says both are fixed. The threat-intelligence group vx-underground reported on June 1 that accounts were still being stolen.

A Decision Made in March

Meta had been testing the AI Support Assistant internally since December 2025. The March 20 global rollout announcement came with specific capability claims: the assistant would handle account issues “from start to finish,” respond in under five seconds, and cover a “growing set of requests” including password resets. Within the same week, Meta began extending it to login recovery in the United States and Canada, with broader expansion planned.

The selfie video check arrived with that rollout, framed as an upgrade over the older ID-document upload. A live video was supposed to be harder to fake than a photograph. By early 2026, AI video generators could animate a static profile photo into a convincing moving clip in a few minutes, and the check had no way to tell them apart.

Meta’s announcement stated: “People will continue to play a key role in high-risk decisions, while AI handles repetitive or rapidly evolving threats.” The assistant launched with write access to email settings and password resets, with no independent confirmation step required before executing either. Meta also claimed its AI enforcement systems had already reduced account hacks by over 30 percent globally across Facebook and Instagram; the support assistant was the next phase of that effort.

How the Attack Ran

The method required no malware, no stolen password database, and no prior access to the victim’s inbox. TechCrunch reviewed a demonstration video of the exploit and confirmed the verification code arrived in the attacker’s email exactly as described. The full sequence ran in minutes.

1. Connect through a virtual private network (VPN, software that masks your real location) set to the target account’s geographic region, bypassing Instagram’s location-based login alerts.
2. Open Meta’s AI support chat and send a short message naming the target username and the attacker’s own email address, claiming to be the account owner needing help.
3. The assistant sends an eight-digit verification code to the attacker’s email, followed by a password reset link.
4. Enter the code, set a new password. The legitimate owner is signed out.

A second variant ran when the assistant triggered an identity check, typically for accounts under closer scrutiny. Attackers sourced the target’s public profile photos, ran them through an AI video generator to produce an animated face clip, and submitted that as selfie verification. The system accepted it. Users with app-based two-factor authentication (2FA, a second login step beyond the password) showed more resistance than those relying on SMS codes; the animated deepfake cleared the same selfie check that legitimate users had to pass.

At no point in either variant did the attacker need to access the email address originally registered to the account.

The Accounts That Were Taken

The most visible target was @obamawhitehouse, the archived official account of the Obama administration, silent since January 20, 2017, but still carrying roughly 2.4 million followers. Hijackers posted an AI-generated image captioned “The White House is under Shiites’ control,” part of a coordinated wave of pro-Iranian content targeting US-linked social media accounts that weekend. Meta later restored it.

Short “OG” handles, usernames claimed by Instagram’s earliest users that carry name recognition and resale value, were the primary commercial target. @hey and @jowo were collectively valued at over $1 million on Telegram grey-market channels. Stolen accounts were listed for resale within minutes of each compromise; Dark Web Informer, a threat-intelligence account, documented the listings updating in real time. Buyers paid knowing Meta’s manual dispute process runs over days, meaning even brief control of a recognizable handle has value for impersonation, brand fraud, or resale.

André Berquó, an AI investor and writer, wrote on X that watching accounts disappear in real time left him more anxious than any social media security event he had followed in years. Jane Manchun Wong described a barrage of unsolicited password-reset attempts arriving before she lost access. The @korn owner spent six hours in Meta’s automated support funnel, received four broken links, and summarized the experience: “We’re at the point where one AI stole it, and another can’t fix it, zero humans in the loop anywhere.”

Meta’s Fix and the Reports That Followed

Andy Stone, Meta’s vice president of communications, posted on June 1 that the issue had been resolved and affected accounts were being secured. Meta’s formal statement that day was brief:

We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems, and people’s Instagram accounts remain secure.

Meta confirmed that no back-end database was accessed; the attack ran through a publicly available support interface. The company has not said how many accounts were affected, which specific verification rules changed, or whether the assistant’s write access to email and password settings was fully removed or only restricted at the surface level.

Hackers sharing the technique on Telegram claimed Meta had disabled a front-end button while the underlying interface remained reachable. vx-underground posted on June 1 that Instagram had still not properly patched the vulnerability and that “nerds continue to find ways to convince AI to reset accounts for them.” By June 3, Android Authority reported additional users locked out and Telegram channels still advertising stolen handles two days after Andy Stone’s statement.

Android Authority also cited unconfirmed internal sources placing the reduction of Instagram’s Trust and Safety division at roughly 60 percent, a result of Meta’s spring AI-first restructuring. Meta has not confirmed that figure. The company did confirm cutting more than 8,000 employees company-wide, with AI automation cited explicitly as the capacity that would replace the work those staff had covered.

The Confused Deputy and What It Costs to Fix

The attack has a formal name in computer security: the confused deputy problem. A trusted system holding elevated privileges gets tricked by an untrusted party into exercising those privileges on their behalf. The trusted system performs the action it was built to do, for the wrong person.

Meta’s support assistant had write access to two security-critical settings: email address and password. A trained human agent reviewing an email-change request on a high-value account would ask for additional confirmation before acting. The assistant treated the same request as routine, with no mechanism to flag the request as unusual regardless of the account’s profile or follower count.

The Open Worldwide Application Security Project (OWASP), which publishes risk rankings for large-language-model system deployments, lists prompt injection as the top vulnerability for AI applications. The structural reason it resists clean patching: a language model cannot reliably separate its own operating instructions from text a user sends in conversation. Both arrive as ordinary language. Filters reduce the exposure but can’t eliminate the category.

Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, described the support-bot hijackings to KrebsOnSecurity as part of a wider pattern: “AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks.” The correct engineering response is to remove write access to security-critical settings from the agent entirely, routing those actions through a verification step the chatbot cannot authorize on its own. Meta’s emergency patch moved toward that position three months after the March decision made it necessary.

Protecting Your Account While Meta Rebuilds the Check

Meta says the specific window is closed, and users targeted over the May 31 weekend should be receiving reset notifications from Instagram directly. For everyone else, Instagram’s two-factor authentication setup guide shows how to switch from SMS codes to an authenticator app, the configuration that held up better through the attack window.

• Use an authenticator app for 2FA. SMS codes can be intercepted or redirected to a new inbox; app-generated codes are tied to your physical device and harder to reroute.
• Minimize clear facial images in public posts. Attackers sourced deepfake material directly from public profile photos available without logging in.
• Keep a record of the original account signup email and approximate creation date; those details are the documentation chain that manual recovery depends on if automated systems fail again.
• Watch for clusters of unsolicited password-reset messages; a single one could be spam, but repeated attempts within a short period were the early warning Jane Manchun Wong described before losing access.

Meta has not disclosed whether the assistant still holds any write access to account settings after Monday’s emergency patch, or under what conditions a manual human review would be triggered.