Hackers hijacked Instagram accounts by asking Meta's own AI chatbot to reset the password

TL;DRHackers tricked Meta’s AI support chatbot into adding their email to victims’ Instagram accounts and resetting passwords. No victim email access needed.

Hackers hijacked Instagram accounts over the weekend by tricking Meta’s own AI-powered support chatbot into granting them access. The attack required no access to the victim’s email, no phishing link, and no malware. The hacker simply asked the chatbot to add a new email address to someone else’s account.

A video posted on X showed the step-by-step process. The hacker used a VPN to spoof the target’s presumed location, avoiding Instagram’s automated account protections. They then opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account.

The chatbot sent a verification code to the hacker’s email address. The hacker shared the code back with the chatbot. The bot then displayed a “Reset Password” button. The hacker entered a new password and took over the account.

The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!At no point did the hacker need to access the legitimate email address linked to the victim’s Instagram account. TechCrunch verified that the hacker’s public email mailbox, displayed in the video, received the verification code. The attack exploited a fundamental flaw: the AI chatbot treated the person it was talking to as the account owner without verifying their identity.