Hackers hijacked Instagram accounts by asking Meta’s own AI chatbot to reset the password

Hackers hijacked Instagram accounts over the weekend by tricking Meta’s own AI-powered support chatbot into granting them access. The attack required no access to the victim’s email, no phishing link, and no malware. The hacker simply asked the chatbot to add a new email address to someone else’s account.

A video posted on X showed the step-by-step process. The hacker used a VPN to spoof the target’s presumed location, avoiding Instagram’s automated account protections. They then opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account.

The chatbot sent a verification code to the hacker’s email address. The hacker shared the code back with the chatbot. The bot then displayed a “Reset Password” button. The hacker entered a new password and took over the account.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

At no point did the hacker need to access the legitimate email address linked to the victim’s Instagram account. TechCrunch verified that the hacker’s public email mailbox, displayed in the video, received the verification code. The attack exploited a fundamental flaw: the AI chatbot treated the person it was talking to as the account owner without verifying their identity.

The compromised accounts included the Obama-era White House Instagram handle, which had been inactive since 2017, and the account of US Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong said her account was also taken over.

“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” Wong said. “Quite concerning.” Multiple users on Reddit and X reported similar hijackings over the same weekend.

Instagram spokesperson Andy Stone said on Monday that the issue was fixed. It is unclear how many accounts were compromised. Meta did not respond to TechCrunch’s request for comment.

The attack is a textbook example of why deploying AI chatbots with account-level permissions is dangerous. Salesforce’s Agentforce customers have been reluctant to let AI agents take financially meaningful actions precisely because of this risk. Analyst Rebecca Wettemann described the fear as “the AI running off in the middle of the night and refunding a bunch of transactions.” Meta gave its AI the ability to reset passwords, and the AI did exactly what it was asked to do, for the wrong person.

The AI agent security landscape is producing new categories of vulnerability faster than companies can address them. OpenClaw’s Claw Chain exploit weaponised an agent’s own sandbox privileges. This Instagram attack weaponised an AI support bot’s account management privileges. The common thread: when an AI agent has the authority to act, the security of the system depends entirely on whether the agent can verify who is asking it to act.

The Meta AI Support Assistant was designed to reduce the cost of human customer service. It succeeded at that. It also created an attack surface that human support agents would not have: a human agent would have verified the caller’s identity before adding a new email to an account. The chatbot did not.

This is the third high-profile AI deployment failure in a single week. Starbucks scrapped its AI inventory system after nine months of miscounts. Waymo’s flood recall failed within two weeks. Meta’s AI chatbot gave hackers the keys to Instagram accounts. The pattern is consistent: AI systems deployed at scale fail in ways their designers did not anticipate, and the failures are more consequential than the efficiencies they were built to deliver.