Attackers seized high-profile Instagram accounts this week without touching a single password, deploying malware, or sending a phishing link. They opened Meta’s AI Support Assistant, claimed to be the account owner, and the bot sent a one-time verification code to whatever email they specified. From there, a password reset took minutes.
The flaw traces to Meta’s March 2026 decision to expand the AI Support Assistant across Facebook and Instagram with authority to complete account recovery end to end, including password resets and email address changes. No identity verification checkpoint stood between the assistant and those account settings.
How the Chatbot Handed Over the Keys
The attack process, confirmed by TechCrunch after a reporter reviewed a video of the exploit, required no technical sophistication. 404 Media, which first broke the story, described its core lesson as “the extreme risk of offloading technical support to AI.”
Here is the documented sequence:
- The attacker enabled a VPN with an endpoint near the target’s presumed location, bypassing Instagram’s geolocation triggers.
- The attacker opened Meta’s AI Support Assistant, triggered the “forgot password” flow, and told the bot the account had been hacked.
- When the system requested facial verification, the attacker scraped photos from the target’s public profile, ran them through an AI video generator to create an animated facial clip, and submitted the result. Meta’s verification system accepted it.
- The bot sent an eight-digit code to the attacker’s specified email address, with no confirmation that the requester owned the original account.
- The attacker entered the code. The bot processed the email change.
- With the attacker’s email now linked to the account, a standard password reset locked the original owner out.
TechCrunch verified the attacker’s inbox received the code in real time. Screenshots shared in Telegram channels alongside step-by-step instruction sheets showed the attacker’s request needed fewer than 20 words: name the target account, specify a new email address, ask the bot to link them. A human support agent would have asked the requester to prove ownership before making any account email change; the AI processed the request as given.
The Accounts That Got Taken
The @obamawhitehouse handle, dormant since January 20, 2017, with roughly 2.4 million followers, was seized and briefly used to post an image captioned “The White House is under Shiites’ control.” Chief Master Sergeant John Bentivegna of the U.S. Space Force had his account defaced with pro-Iranian content. The beauty retailer Sephora’s official profile was also taken.
Jane Manchun Wong, an app researcher and former Meta employee known for reverse-engineering unreleased features, found her secondary four-letter handle compromised overnight. “The password got changed without my knowledge,” she wrote on X. “Quite concerning.” Two-factor authentication (2FA) had been active on the account.
The handles @hey and @jowo carried a combined gray-market valuation estimated above $1 million, documented by crypto-crime researcher ZachXBT and the threat-tracking account Dark Web Informer. Stolen usernames appeared on Telegram-based broker channels within minutes of each compromise. SecurityWeek reported hundreds of high-profile accounts were compromised and sold on the dark web before Meta intervened. The gray market for short social handles has operated for years; broker channels had infrastructure in place to move inventory the moment accounts became available.
Meta’s March Decision
In March 2026, Meta expanded its AI Support Assistant across all Facebook and Instagram accounts and gave the chatbot authority to act on account recovery requests end to end. The company’s account recovery support page describes the capability as “Account security and recovery” and promises “Solutions, not just suggestions.” The assistant could add email addresses, trigger password resets, and update profile settings without a mandatory human review at any step.
Instagram’s human support infrastructure had long frustrated users. Recovering a hijacked account through Meta’s ticketing system typically took days; for high-value handles, the back-and-forth stretched into weeks. The AI assistant was built to cut that friction.
Meta had cut more than 8,000 employees and reassigned roughly 7,000 others to AI-focused initiatives, per reporting by the New York Times. The layoffs hit Meta’s integrity division and cybersecurity teams specifically, according to one security analysis published in the days after the exploit went public. Unconfirmed reports have suggested Instagram’s Trust and Safety team was reduced by around 60 percent, though Meta has not confirmed that figure.
404 Media first reported the method publicly, with early coverage cataloguing accounts taken before Meta acknowledged the scope of the problem. The publication noted the feature had been available for months before exploitation instructions began circulating on Telegram on June 1, leaving unanswered how many accounts had been taken quietly before that date.
A Fix That May Not Be One
On Monday, Andy Stone, Meta’s Vice President of Communications, posted in replies to affected users that the incident was resolved. By Tuesday, users on the same channels that had spread the original instructions were reporting fresh takeovers.
We’re at the point where one AI stole it, and another can’t fix it, with no humans involved.
That came from the owner of the @korn handle, who spent six hours trying to reach Meta support and received four broken links from the AI system in return. André, another user whose account was seized, described the same loop: “You’re talking to a chatbot that has no ability to help. You can’t escalate to a human. You’re just stuck.”
Several users in the Bugify Vault Telegram channel claimed Meta’s remedy amounted to removing the front-end “Get Support” button from the AI support interface. The underlying API endpoints, they reported, remained accessible through direct requests, scripts, and automated bots. Android Authority reported accounts continuing to be hijacked after Stone’s announcement.
Esther Crawford, Meta’s Director of Product Management, posted that her five-letter handle had been taken after Stone said the issue was resolved. In a follow-up, Stone told users they might receive password reset prompts or security questions on login, suggesting the company had restricted some recovery workflows. What specific backend changes were made, Meta did not confirm.
The Design Flaw Under the Incident
Security researchers identified the root cause as a variant of what computer science calls the “confused deputy” problem, a class of privilege escalation documented since a 1988 paper by software engineer Norm Hardy. The AI assistant held privileged write access to account management APIs that regular users could not invoke directly. An attacker with no credentials submitted a plain-text chat request, and the assistant, acting as a deputy with elevated permissions, executed the API call without any authentication checkpoint. What made this structurally worse than a traditional confused deputy scenario, as cybersecurity researchers noted, is that the “deputy” here was a probabilistic language model: redirect it with words alone, no code exploit required.
| Human Support Agent | Meta AI Support Assistant | |
|---|---|---|
| Identity check before email change | Required | Not applied |
| Escalation path for disputed requests | Available | Absent |
| Time to process a request | Hours to days | Minutes |
| Susceptible to social engineering | Yes | Yes |
The Open Worldwide Application Security Project’s Top 10 for Large Language Model Applications lists Excessive Agency as a primary risk category: AI systems granted irreversible write permissions over sensitive user data without a mandatory human confirmation step in the loop. The OWASP framework has flagged the category since the list’s launch in 2023, specifically warning against giving LLMs the ability to trigger irreversible actions without human oversight.
Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, told Krebs on Security the industry is entering uncharted territory as major platforms expand AI system authority over account operations. “Just like human customer support employees can be social engineered into providing unauthorized access to someone’s account,” Goldin said, “AI bots are equally eager to help and vulnerable to persuasion and trickery.”
Steps That Reduce Your Risk Now
The attack exploited Meta’s infrastructure rather than anything on a user’s device, which limits what individual users can do to prevent it entirely. These steps reduce exposure.
- Enable two-factor authentication on Instagram and Facebook via account Security settings. Instagram’s account security help pages walk through the setup. The primary attack path documented by TechCrunch was unlikely to succeed against accounts with any form of multi-factor authentication (MFA) active, per Krebs on Security, though variants using AI-generated facial verification videos bypassed 2FA in some reported cases.
- Limit the number of publicly visible photos that clearly show your face. The secondary attack path relied on scraping public profile images to create facial verification videos.
- Keep your recovery email address and phone number current and secured with a strong, unique password separate from your social media login.
- Save proof of account ownership: your original signup email and approximate account creation date are what Meta’s manual review process requests when a dispute reaches a human reviewer.
- Act immediately on any password reset notification or security code you did not request. An unsolicited code means an active attempt is in progress.
Meta’s public follow-up told users to expect possible password reset prompts and security questions on login. The company did not specify what changes had been made to the underlying recovery workflows.
As of publication, users on the channels that spread the original exploitation instructions were reporting continued access to Instagram accounts.
