Hackers tricked Meta AI into hijacking Instagram accounts — here’s how

An experiment in AI-powered customer support appears to have backfired for Meta after hackers allegedly hijacked Instagram accounts by manipulating the company’s own support chatbot into granting access.

The flaw, first reported by TechCrunch and detailed by cybersecurity outlet 404 Media, reportedly allowed attackers to trick Meta’s AI support assistant into changing the email linked to a target Instagram account. Once the new email was added, hackers could trigger a password reset and seize control — without phishing links, malware or direct access to the victim’s inbox.

According to reports, attackers used VPNs to spoof locations near their targets, reducing the likelihood of triggering Instagram’s automated security checks. Hackers interacted directly with the chatbot, asking it to attach a new email address to victim accounts before resetting credentials.

The exploit appears to have affected high-profile accounts as well as ordinary users. Reports linked the breach to temporary compromises involving accounts associated with the Barack Obama White House archive, beauty retailer Sephora and a senior US Space Force official, while users on Reddit and X reported similar takeovers over the weekend.

Meta said the issue has since been resolved. Company communications executive Andy Stone said affected accounts were being secured after the vulnerability came to light, according to multiple reports.

The incident lands at an awkward moment for Meta, which has been aggressively expanding AI-powered customer support and “agentic” assistants designed to carry out more tasks autonomously across its apps. The company has increasingly positioned AI not just as a chatbot feature, but as infrastructure embedded into everything from account support to shopping and productivity tools.

Cybersecurity experts say the episode highlights a broader challenge facing the tech industry: giving AI systems access to sensitive account-management tools without building enough hard verification steps around them. In this case, the problem was not a sophisticated software intrusion, but a support system seemingly persuaded to trust the wrong user.