Hackers Hijacked Instagram Accounts by Asking Meta's AI Chatbot

Key Takeaways

• Attackers bypassed two-factor authentication by convincing Meta's AI support chatbot to change account emails
• High-profile targets included the Obama White House account and the Chief Master Sergeant of the US Space Force
• The vulnerability is a 'confused deputy' attack where AI assistants hold more privileges than users themselves

The Attack: Simpler Than You'd Think

Hackers took over prominent Instagram accounts by asking Meta's AI support chatbot to swap the email address on file. No password cracking. No phishing links. Just a polite request to a chatbot that had the power to comply.

Targets included the Obama White House account, the Chief Master Sergeant of the US Space Force, and cosmetics chain Sephora. Short, highly coveted usernames, known as OG handles, changed hands within minutes and were resold on Telegram. These handles can fetch six-figure sums on gray markets.

Security researchers ZachXBT and Dark Web Informer documented the fallout publicly. Two of the compromised handles reportedly had a combined market value of over $1 million.

How the Method Worked

The attack sequence was surprisingly simple. Attackers turned on a VPN to place themselves in the target account's geographic region. They then initiated a password reset and told the AI support assistant to update the email address on the account, promising to send the confirmation code right away.

The bot then sent an eight-digit confirmation code to the attacker's email address, followed by a password reset link. Two-factor authentication was bypassed entirely because the attackers controlled the new email.

Where Meta's automated identity check kicked in, attackers got around it by running the victim's public Instagram photos through AI video generators, according to The CyberSec Guru. That produced realistic-looking selfie clips that fooled the automated security checks.

The Confused Deputy Problem

The CyberSec Guru calls this a textbook example of a well-known problem in IT security: the confused deputy. A helper system holds more privileges than the actual user, and an attacker tricks it into exercising those privileges on their behalf.

The AI assistant was allowed to swap email addresses and reset passwords. These are actions a regular Instagram user can't trigger directly. Anyone who asked the bot nicely got those actions performed without even being logged in first.

“This isn't just a bug; it's a fundamental failure in trust architecture when we grant generative agents administrative power over identity management.”

— Sarah Jenkins, Cybersecurity Lead at SentinelOne

Why Language Models Are Vulnerable

At its core, this is a prompt injection with particularly expensive consequences. The language model can't reliably tell the difference between a harmless user request and a malicious instruction. Both are just text.

The CyberSec Guru draws a comparison to SQL injection, where inputs get misread as commands. The difference is that SQL can be locked down with clear rules. A language model has no clean separation between data and instructions.

For irreversible steps like a password reset, there should have been a hard, non-negotiable check. A confirmation sent to the original email address on file. Or a push notification to an already verified device. That safeguard was missing from the API path the AI could call.

The Rush to Deploy AI Support

Meta announced in March that it was rolling out AI support for all Facebook and Instagram users. The promise: faster response times and 24/7 availability. The reality: an AI agent with write permissions for account recovery and no robust, independent confirmation steps.

Discussion on HackerNews and r/netsec focused heavily on the "incompetence" of granting an AI agent these permissions without adequate security guardrails or sandboxing. Users expressed concern that this represents a wider trend in tech companies rushing to deploy AI agents for customer support.

What Should Have Been Different

The fix isn't complicated in principle. High-risk actions like email changes and password resets should require confirmation through a channel the AI doesn't control. Send a code to the original email. Push a notification to a device that's already authenticated. Require a human review for accounts above a certain follower threshold.

None of these are new ideas. They're standard practice for traditional customer support flows. The problem is that someone gave the AI agent a shortcut that bypassed all of them.

Frequently Asked Questions

How did hackers bypass Instagram's two-factor authentication?

They didn't break 2FA directly. They convinced Meta's AI chatbot to change the email address on the account first. Once the attacker controlled the email, 2FA codes went to them instead of the legitimate owner.

What is a confused deputy attack?

A confused deputy attack occurs when a system with elevated privileges is tricked into using those privileges on behalf of an attacker. In this case, the AI support chatbot had permissions to change emails and reset passwords that regular users don't have.

Which accounts were compromised in the Instagram AI chatbot hack?

High-profile targets included the Obama White House Instagram account, the Chief Master Sergeant of the US Space Force, and cosmetics chain Sephora. Several OG handles worth six figures were also stolen and resold on Telegram.

How can companies prevent AI chatbot security vulnerabilities?

High-risk actions like password resets should require confirmation through channels the AI doesn't control, such as the original email address or a previously verified device. AI agents should not have direct access to APIs that perform irreversible identity changes.

What is prompt injection?

Prompt injection is when an attacker crafts input that causes an AI language model to perform unintended actions. Unlike SQL injection, there's no clean separation between user data and instructions in language models, making this vulnerability difficult to fully eliminate.

Source: The Decoder / Maximilian Schreiner