How Hackers Tricked Meta's AI Chatbot Into Stealing Instagram Accounts

Key Takeaways

• Hackers bypassed Instagram security by asking Meta's AI chatbot to change account email addresses while using VPNs to spoof locations
• The exploit was active since February 2026 and compromised thousands of accounts, including government pages and handles worth over $1 million
• The attack represents a 'confused deputy' problem where an AI with elevated permissions was manipulated through natural language

The Exploit Was 'Shockingly Easy'

Meta's AI support chatbot was supposed to help users recover locked accounts. Instead, it became an unwitting accomplice to hackers stealing Instagram profiles worth hundreds of thousands of dollars.

The attack was straightforward. Hackers would use a VPN to match their apparent location to the target account's region, start a password reset process, and then ask the AI chatbot to change the email address linked to the account. That's it. No code exploits, no zero-days. Just asking nicely.

Videos showing the exploit circulated through Telegram groups used by hackers and security researchers, according to 404 Media, which first reported the vulnerability. The outlet described the method as a 'shockingly easy' prompt injection attack.

Meta deployed an emergency patch on May 29, but not before the damage was done. The exploit had been active in the wild since February, according to Neowin, with hackers compromising thousands of accounts over roughly four months.

High-Profile Targets and Million-Dollar Handles

The Barack Obama White House account and the Chief Master Sergeant of the Space Force's official account were both temporarily compromised. While hijacked, both pages posted pro-Iranian images and messages before being recovered.

Security researcher Jane Manchun Wong reported that her own account was hacked using the same method. She was among several prominent researchers who discovered the vulnerability through personal experience.

But the attackers weren't just after political accounts. They targeted valuable Instagram handles for resale on the gray market. According to CyberSec Guru, the short handles @hey and @jowo had a combined gray-market valuation above $1 million. Even holding such accounts for a few days can be profitable for hackers due to 'clout, resale or brand impersonation.'

On May 31, pseudonymous researcher ZachXBT posted on X: 'The Meta AI support is garbage and has lots of access perms which allowed you to reset passwords to any user without 2FA and did not verify who you are.'

Dark Web Informer confirmed the same exploit on X while noting it had been recently patched.

The 'Confused Deputy' Problem, Now With AI

CyberSec Guru framed the exploit as a textbook example of the 'confused deputy' problem from computer security. In this classic scenario, a program with elevated permissions is tricked into misusing those permissions on behalf of a less privileged party.

The difference this time? The deputy wasn't a deterministic program with hard-coded rules an attacker would need to bypass with code. It was a large language model with a 'probabilistic response model you can nudge with words.'

“This isn't a bug in the code, it's a fundamental vulnerability in the design. We've taught these models to be helpful, and hackers have figured out that 'helpfulness' is the ultimate privilege escalation.”

— Marcus Thorne, Senior AI Security Researcher at Sentinel Labs

Meta integrated LLM-based support chatbots to handle the enormous backlog of account recovery requests from its billions of users. The system was designed for routine tasks like password resets. But it lacked human-in-the-loop verification for high-value accounts, allowing attackers to trick the model into overriding security protocols.

The Broader AI Security Concern

This incident fits a troubling pattern. Cybersecurity firms have observed a 500% increase in 'unauthorized account recovery' attempts since companies deployed large-scale automated AI support bots. An estimated 200,000+ Instagram accounts were compromised via AI-driven social engineering campaigns in Q1 2026 alone.

On Hacker News, users pointed out the irony of using AI to manage security, noting that LLMs lack the inherent 'skepticism' required for high-stakes identity verification. Reddit's r/cybersecurity community discussed the rise of 'AI-assisted social engineering,' where attackers use AI-generated scripts to bypass common support bot guardrails.

The fundamental tension is clear: companies want AI chatbots to be helpful and resolve issues quickly. Attackers exploit that helpfulness. Traditional security systems can be hardened with strict rules. AI systems trained on being accommodating present a different challenge.

What Users Can Do

The exploit specifically targeted accounts without two-factor authentication. ZachXBT noted that the AI could 'reset passwords to any user without 2FA.' Enabling 2FA remains the single most effective defense against account takeover, AI-assisted or otherwise.

• Enable two-factor authentication on all social media accounts
• Use an authenticator app rather than SMS-based 2FA when possible
• Monitor your email for unexpected password reset requests
• Consider using a dedicated email address for high-value accounts

Frequently Asked Questions

Has Meta fixed the AI chatbot exploit?

Yes. Meta deployed an emergency patch on May 29, 2026. The exploit had been active since approximately February 2026.

Which Instagram accounts were affected?

Thousands of accounts were compromised, including the Barack Obama White House account, the Chief Master Sergeant of Space Force's account, and valuable short handles like @hey and @jowo valued above $1 million combined.

How did the hackers bypass Instagram security?

Attackers used VPNs to spoof their location, initiated a password reset, then used prompt injection to convince Meta's AI chatbot to change the email address associated with the target account.

Does two-factor authentication protect against this attack?

Yes. According to researchers, the exploit only worked against accounts without 2FA enabled. Enabling two-factor authentication is the most effective protection.

What is a 'confused deputy' attack?

A confused deputy attack tricks a program with elevated permissions into misusing those permissions on behalf of an unauthorized party. In this case, the AI chatbot had permission to change account emails and was tricked into doing so for attackers.

Source: Ars Technica