Hackers Hijacked Instagram Accounts by Asking Meta's AI Chatbot
Key Takeaways
- Attackers bypassed two-factor authentication by convincing Meta's AI support chatbot to change account emails
- High-profile targets included the Obama White House account and the Chief Master Sergeant of the US Space Force
- The vulnerability is a 'confused deputy' attack where AI assistants hold more privileges than users themselves
The Attack: Simpler Than You'd Think
Hackers took over prominent Instagram accounts by asking Meta's AI support chatbot to swap the email address on file. No password cracking. No phishing links. Just a polite request to a chatbot that had the power to comply.
Targets included the Obama White House account, the Chief Master Sergeant of the US Space Force, and cosmetics chain Sephora. Short, highly coveted usernames, known as OG handles, changed hands within minutes and were resold on Telegram. These handles can fetch six-figure sums on gray markets.
Security researchers ZachXBT and Dark Web Informer documented the fallout publicly. Two of the compromised handles reportedly had a combined market value of over $1 million.
How the Method Worked
The attack sequence was surprisingly simple. Attackers turned on a VPN to place themselves in the target account's geographic region. They then initiated a password reset and told the AI support assistant to update the email address on the account, promising to send the confirmation code right away.
The bot then sent an eight-digit confirmation code to the attacker's email address, followed by a password reset link. Two-factor authentication was bypassed entirely because the attackers controlled the new email.
Where Meta's automated identity check kicked in, attackers got around it by running the victim's public Instagram photos through AI video generators, according to The CyberSec Guru. That produced realistic-looking selfie clips that fooled the automated security checks.
The Confused Deputy Problem
The CyberSec Guru calls this a textbook example of a well-known problem in IT security: the confused deputy. A helper system holds more privileges than the actual user, and an attacker tricks it into exercising those privileges on their behalf.
The AI assistant was allowed to swap email addresses and reset passwords. These are actions a regular Instagram user can't trigger directly. Anyone who asked the bot nicely got those actions performed without even being logged in first.
“This isn't just a bug; it's a fundamental failure in trust architecture when we grant generative agents administrative power over identity management.”
— Sarah Jenkins, Cybersecurity Lead at SentinelOne
Why Language Models Are Vulnerable
At its core, this is a prompt injection with particularly expensive consequences. The language model can't reliably tell the difference between a harmless user request and a malicious instruction. Both are just text.
The CyberSec Guru draws a comparison to SQL injection, where inputs get misread as commands. The difference is that SQL can be locked down with clear rules. A language model has no clean separation between data and instructions.
For irreversible steps like a password reset, there should have been a hard, non-negotiable check. A confirmation sent to the original email address on file. Or a push notification to an already verified device. That safeguard was missing from the API path the AI could call.
The Rush to Deploy AI Support
Meta announced in March that it was rolling out AI support for all Facebook and Instagram users. The promise: faster response times and 24/7 availability. The reality: an AI agent with write permissions for account recovery and no robust, independent confirmation steps.
Discussion on HackerNews and r/netsec focused heavily on the "incompetence" of granting an AI agent these permissions without adequate security guardrails or sandboxing. Users expressed concern that this represents a wider trend in tech companies rushing to deploy AI agents for customer support.
What Should Have Been Different
The fix isn't complicated in principle. High-risk actions like email changes and password resets should require confirmation through a channel the AI doesn't control. Send a code to the original email. Push a notification to a device that's already authenticated. Require a human review for accounts above a certain follower threshold.
None of these are new ideas. They're standard practice for traditional customer support flows. The problem is that someone gave the AI agent a shortcut that bypassed all of them.
Another recent security vulnerability exploited in targeted attacks
Logicity's Take
Frequently Asked Questions
How did hackers bypass Instagram's two-factor authentication?
They didn't break 2FA directly. They convinced Meta's AI chatbot to change the email address on the account first. Once the attacker controlled the email, 2FA codes went to them instead of the legitimate owner.
What is a confused deputy attack?
A confused deputy attack occurs when a system with elevated privileges is tricked into using those privileges on behalf of an attacker. In this case, the AI support chatbot had permissions to change emails and reset passwords that regular users don't have.
Which accounts were compromised in the Instagram AI chatbot hack?
High-profile targets included the Obama White House Instagram account, the Chief Master Sergeant of the US Space Force, and cosmetics chain Sephora. Several OG handles worth six figures were also stolen and resold on Telegram.
How can companies prevent AI chatbot security vulnerabilities?
High-risk actions like password resets should require confirmation through channels the AI doesn't control, such as the original email address or a previously verified device. AI agents should not have direct access to APIs that perform irreversible identity changes.
What is prompt injection?
Prompt injection is when an attacker crafts input that causes an AI language model to perform unintended actions. Unlike SQL injection, there's no clean separation between user data and instructions in language models, making this vulnerability difficult to fully eliminate.
Need Help Implementing This?
Source: The Decoder / Maximilian Schreiner
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse allZuckerberg's Superintelligence Lab Faces Setback
The first AI model from Zuckerberg's superintelligence lab has failed to impress compared to its rivals, sparking concerns about the lab's direction. We take a closer look at what happened and why it matters.
Muse Spark Launch Propels Meta AI App to Top 5
The recent launch of Muse Spark has significantly boosted the popularity of Meta AI app, pushing it into the top 5. We explore what this means for the AI landscape.
Meta's Muse Spark AI Model Lags Behind ChatGPT and Claude
Meta's Muse Spark AI model still can't outperform ChatGPT and Claude in key areas, despite its advancements. We explore what this means for the AI landscape.
Meta Launches Muse Spark AI To Challenge ChatGPT
Meta launches Muse Spark AI to challenge ChatGPT and Claude, we explore what this means for the AI landscape. Muse Spark AI is a significant development in the AI chatbot space.
Also Read
5 Network Mistakes That Are Killing Your Internet Speed
Your ISP isn't always to blame for slow internet. Five common home network mistakes, from router placement to outdated cables, could be throttling your connection before data even leaves your house.
5 Netflix Shows to Watch in June 2026
Netflix's June lineup includes a Michael Jackson trial documentary, the return of Sweet Magnolias, and Avatar: The Last Airbender Season 2. Here's what's worth your time this month.
Computex 2026 Day 1: Night Markets, MRT Trains, and AI Demos
Tom's Hardware's team offers a ground-level look at Computex 2026's opening day in Taipei. From Nvidia's two-hour demo marathon to Gigabyte's $1000+ 3D-printed motherboard, here's what caught our attention on the show floor.