Meta AI Support Chatbot Exploited to Steal Instagram Accounts

Meta's AI chatbot was weaponized. Hackers used it to hijack thousands of Instagram accounts, including some with six-figure gray-market price tags, using an exploit that required only a VPN and a well-worded request to change email addresses without verification. But Meta didn't push an emergency patch until May 29, and by then high-profile handles had already been compromised and resold.

How the Attack Unfolded

The scheme was brutally simple. An attacker would fire up a VPN to roughly match the target account’s geographic region, trigger a password reset, then ask the AI‑powered support system to swap the email address on file. The bot obliged. No authentication check. No out‑of‑band confirmation. Just a prompt injection attack that nudged a large language model into misusing its permissions.

Prompt Injection at Its Simplest

The exploit videos circulated on Telegram for months. Researchers and criminals alike shared footage of the chatbot approving account changes it never should have authorized. As early as February, hackers were using the technique to scoop up thousands of Instagram accounts.

It didn't need code. But one of the most alarming aspects: the attack wasn't a buffer overflow or a zero‑day vulnerability in the traditional sense, but a probabilistic model told in plain English to do something it shouldn't.

Celebrity Accounts and Million‑Dollar Handles

The Obama White House Instagram account was among those temporarily taken over, posting pro‑Iranian images before it was locked down. The Chief Master Sergeant of Space Force account also broadcast unrecognizable messages. Both were seized at a time when the exploit had gained wider public attention.

$1 million. That’s the combined gray‑market valuation researchers placed on two short handles, @hey and @jowo, that hackers snatched and resold. Even a few days of control over such accounts can be cashed out through clout, brand impersonation, or outright extortion. Prominent security researcher Jane Manchun Wong also reported her account had been breached.

Researchers Sound Off

ZachXBT didn’t mince words. On May 31, the pseudonymous OSINT investigator wrote on X:

“the Meta AI support is garbage and has lots of access perms which allowed you to reset passwords to any user without 2FA and did not verify who you are.”

At the same time, Dark Web Informer confirmed the exploit while noting the patch had landed. Both accounts underscored that multi‑factor authentication, even the one‑time SMS codes Instagram offers, blocked the attack entirely. That detail would become a stubborn footnote in an otherwise damning story.

A Confused Deputy, Not a Typical Bug

Security analysts labeled the flaw a classic “confused deputy” problem. A component with elevated privileges, the AI support bot, was tricked into acting on behalf of a less privileged party. But here the deputy was not a deterministic program with hard‑coded logic you break through with code. It was a language model you can steer with words.

Why MFA Still Saved Accounts

The deputy could be fooled. Even the weakest form of multi-factor authentication, SMS-based codes, stopped the attack cold, and hackers openly admitted the exploit failed against accounts that'd turned on any type of MFA, but a second factor remained a hard gate.

Meta had launched its AI support assistant in March 2026, promising “reliable, 24/7 support for nearly any support issue at any time.” The assistant was designed to be helpful. It was. Just not only to legitimate users.

After the Emergency Patch

The May 29 fix slammed the door, but the episode exposed a widening risk: organizations are rushing to give AI agents the power to modify, create, or delete critical data. A safer architecture, one security blog noted, would require at least four things:

• Out‑of‑band verification before any account modification
• Rate limiting on AI‑initiated reset flows keyed to account risk signals
• Action logging with anomaly detection for unusual AI‑driven account changes
• A hard deterministic gate that no amount of conversational nudging can bypass

None of that was in place when the chatbot went live. For now, the takeaway is blunt: if an AI can change a password or an email address on your behalf, and you don’t have multi‑factor authentication turned on, the next support conversation might not be with the owner you think it is.