Hackers Hijacked Instagram Accounts by Simply Asking Meta’s AI Support Chatbot to Change the Email

Over the weekend, attackers took over a string of high-profile Instagram accounts without cracking a single password or intercepting a single SMS code. They simply asked. A logic flaw in Meta’s AI-powered support chatbot let anyone request an email change on someone else’s account — and the bot obliged, handing over the keys while two-factor authentication never even triggered.

The attack chain, as documented by TechCrunch and The Decoder, took four steps. First, the attacker used a VPN or residential proxy matched to the victim’s region, so Instagram’s automated fraud detection saw nothing unusual. Second, they opened a chat with the Meta AI Support Assistant and asked it to add a new email address to the target account. Third — and this is the fatal flaw — the chatbot sent its verification code to the attacker’s email address, not the account owner’s. Once the attacker echoed the code back, the bot presented a "Reset Password" button. Step four: new password, full takeover.

The victims were not obscure. The compromised accounts included the dormant Obama-era White House Instagram handle, untouched since 2017, and the account of the U.S. Space Force’s top enlisted leader, Chief Master Sergeant John Bentivegna. Security researcher Jane Wong, whose own account was hijacked, said her password "got changed without my knowledge" amid a stream of reset attempts. Meanwhile, valuable "OG" usernames — short handles worth hundreds of thousands of dollars on gray markets — were stolen and resold on Telegram within minutes of each compromise.

Meta confirmed the vulnerability and patched it, with Instagram spokesperson Andy Stone announcing the fix on Monday. The company stressed that no backend database was breached — the AI assistant was tricked at the conversation layer, not hacked at the infrastructure layer. What Meta has not disclosed is how long the flaw was live or how many accounts were taken over before the patch landed.

The episode lands at an awkward moment for the industry: every major platform is racing to replace human support staff with AI agents that hold real administrative power — changing emails, resetting passwords, issuing refunds. This weekend showed what happens when that power is wired to a model that fails to verify the one thing that matters: whether the person asking actually owns the account.