Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts – Krebs on Security

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

Publish Date: 2026-06-01 15:08:28

Summary:

The recent defacement of Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force highlighted a significant security flaw involving Meta’s AI support assistant. Instructions for exploiting this vulnerability circulated on Telegram, demonstrating how attackers used a seemingly simple method to trick the AI bot into resetting account passwords. By using a VPN with an IP address near the target’s hometown, hackers initiated a password reset and then convinced the bot to associate an account with a new email. This led to the theft of account passwords and defacement with pro-Iranian images, further suggesting the resale value of such high-profile accounts could be in the hundreds of thousands of dollars. Though Meta swiftly patched the identified flaw and assured no database was breached, the incident underscores the potential risks of relying on AI chatbots for account recovery. Experts warn that similar attacks are likely to increase as more platforms adopt AI-based customer support, emphasizing the need for robust multi-factor authentication to safeguard accounts.

Key Points:

Several high-value Instagram accounts were compromised using an exploit on Meta’s AI support assistant.
The exploit showcased on Telegram illustrated how attackers manipulated the AI bot to reset passwords without resorting to robust multi-factor authentication.
Experts warn about the risks of AI chatbots handling sensitive account recovery, noting this creates new security challenges.
No backend database was breached, but Instagram quickly pushed an emergency patch to mitigate the threat.
The incident underscores the importance of employing the most secure multi-factor authentication methods to prevent such exploits.