Illustration of a hacked Instagram account with Meta AI chatbot, password reset alerts, and cybersecurity warning symbols.
Hackers reportedly abused Meta’s AI-powered Instagram support system to reset passwords and take over accounts without accessing victims’ emails.

A recent Instagram account hacking incident has raised concerns about the security of Meta’s AI-powered support systems.

Meta has fixed a security issue that allegedly allowed attackers to break into several Instagram accounts, including some belonging to well-known users, by exploiting weaknesses in the platform’s automated support system. Over the weekend, several users on X claimed that their Instagram accounts had been compromised

Attackers exploited the support system to add their own email addresses to targeted Instagram accounts. After establishing the new email connection, they were able to trigger password recovery processes and take control of the accounts, bypassing the need to access the account owner’s original email.

ALSO READ


The security issue was initially uncovered by researchers ZachXBT and Dark Web Informer, who reported that attackers had found a way to exploit Instagram’s account recovery system. The problem quickly drew broader attention as users across Reddit, X, and Telegram began sharing reports of compromised accounts and unauthorised access attempts.

Among the affected accounts were reportedly the Obama-era White House Instagram handle, beauty retailer Sephora, and the account of US Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also shared on X that her Instagram account has been hacked.

“The password got changed without my knowledge, and I was getting different password reset attempts throughout yesterday. And I got repeatedly logged out from the IG iOS app,” Wong said in the post.


In March, Meta rolled out its automated support feature more widely across Facebook and Instagram, giving the system the ability to assist with sensitive matters such as password recovery and account management. The company pitched the service as a tool to directly help users resolve their account access and security issues.

When companies use AI chatbots for customer support, especially for sensitive tasks like recovering a lost account, changing email IDs, sending OTPs, or resetting passwords, the AI should not have the power to bypass security rules.

“This case also underlines a larger issue: as AI becomes part of customer support and account recovery, companies must ensure that AI assistants cannot override core security checks. Convenience should never come at the cost of identity verification,” Shashank Shekhar, Co-Founder, Future Crime Research Foundation, told Financial Express Digital.

ALSO READ


The alleged exploit has been demonstrated widely in recent days in Telegram channels favoured by cybersecurity researchers and online threat-tracking communities. Videos and screenshots shared online indicated the process of hijacking accounts was a few steps, raising questions about how effective the platform’s security protections are.

“This case shows how cybercriminals are now exploiting not just users, but also automated support systems. Attackers allegedly manipulated Meta’s AI support chatbot into sending password reset codes to email IDs controlled by them, allowing account takeovers without stealing the victim’s phone or inbox access,” he noted.

How hackers tricked Meta AI chatbot?

The video, shared by Dark Web Informer on X, gives us an idea of the steps followed when carrying out the attack. At first, the attacker uses the virtual private network to ensure that he or she logs in from the user’s location, thereby allowing them to get past the automation tests set up by the company. Then, they contact Meta’s help assistant and request the addition of a new email.

After the new email address was added, a verification code was delivered to that address and used to complete the confirmation process. The system then provided an option to create a new password. Once the password was changed, the attacker was able to take over the Instagram account and lock out the original owner.

The incident has renewed attention on account security, although reports indicate that users with two-factor authentication enabled were generally protected from the attack. As a precaution, Instagram users should review their security settings and enable additional verification measures to help safeguard their accounts from unauthorised access.


The incident has raised questions about the effectiveness of the measures in place by Instagram when it comes to securing users’ accounts.

Accounts that were secure using two-factor authentication seem to be immune to the hack, yet other users who had taken additional security measures also fell prey to the hacker. It is unclear to what extent the vulnerability was able to bypass any security measures put in place.