Hackers asked Meta’s AI chatbot to hand over Instagram accounts, and it did

TL;DRHackers hijacked high-profile Instagram accounts by asking Meta’s AI support chatbot to change account email addresses without identity verification. Meta says the flaw is fixed, but attacks reportedly continued after the company’s announcement.

No phishing link. No malware. No SIM swap. Hackers took over high-profile Instagram accounts over the weekend by doing something disarmingly simple: they asked Meta’s AI customer support chatbot to change the email address on someone else’s account. The bot complied without verifying the requester’s identity, and the attacker then reset the password and locked out the rightful owner.

The technique, which was first reported by 404 Media, spread through Telegram channels where hackers shared the method and began advertising stolen handles for sale. Among the compromised accounts were the dormant Obama White House Instagram profile, which was used to post unauthorised AI-generated images, and the account of US Space Force chief master sergeant John Bentivegna.

Meta spokesperson Andy Stone said on Monday that “the issue that did happen has already been fixed.” But on Tuesday, more Instagram users reported losing access to their accounts, and members of the same Telegram channels claimed the exploit still worked, according to TechCrunch.