Instagram account takeover AI

Meta AI Support Flaw Let Hackers Hijack Instagram Accounts

by

Meta’s AI Support Chatbot Was Weaponized to Hijack Instagram Accounts, No Malware Required

A critical flaw in Meta’s AI Support Assistant on Instagram allowed attackers to seize control of accounts belonging to high-profile individuals and organizations using nothing more than a target’s username and a VPN. No malware, no phishing link, no access to the victim’s email account was required at any point. The Meta AI Instagram account hijack exploit was publicly exposed on June 1, 2026, by security researchers ZachXBT and Dark Web Informer and patched by Meta the same evening, but not before attackers had already monetized the vulnerability for weeks.

The Attack Chain: Dangerously Simple

The mechanics of this exploit are what make it so alarming. Meta’s AI Support Assistant, a chatbot introduced in December 2025 for 24/7 account recovery, was designed to help users regain access to their Instagram accounts without waiting for a human support agent. That convenience became the attack surface.

The attack followed a precise sequence: an attacker connected to Meta’s AI Support Assistant using a VPN configured to match the target account’s presumed geographic region, bypassing Instagram’s location-based account protections. The attacker then asked the chatbot to add a new email address to the target’s account. The chatbot, treating the person it was speaking with as the account owner, sent a verification code directly to the attacker’s email. The attacker supplied that code back to the chatbot. The bot then presented a password reset button. The attacker set a new password, and the account was theirs.

At no point was the legitimate account owner notified in time to intervene. A video documenting this step-by-step process circulated on X (formerly Twitter) and was independently verified by TechCrunch.

Instagram-Account-takeover

The flaw was not a server breach. Meta confirmed no backend systems were compromised. The vulnerability lived entirely inside the AI chatbot’s decision-making logic: it treated account ownership as implied by the conversation rather than verified through authentication. There was no rate limiting, no identity confirmation challenge, and no requirement to prove access to the existing email or phone number registered to the account.

High-Profile Accounts Compromised, Sold on Telegram

Attackers moved quickly once they had the exploit in hand. According to reporting from 404 Media, threat actors had been aware of this vulnerability since at least March 2026, giving them roughly three months of quiet exploitation before it surfaced publicly.

Among the confirmed compromised accounts were the Obama-era White House Instagram handle (@obamawhitehouse), dormant since January 2017, which was briefly used to post inflammatory content before Meta intervened. US Space Force Chief Master Sergeant John Bentivegna’s account was also seized, as was the account of security researcher Jane Manchun Wong, who publicly described discovering her password had been changed without her knowledge. Developer Albert Renshaw’s coveted single-word handle @albert; fashion retailer Sephora’s account; and premium short-handle accounts including @hey and @jowo, collectively valued at over $1 million on underground markets, were among those reported stolen.

Stolen accounts were rapidly listed and sold through private Telegram channels. Dark Web Informer tracked active account listings in real time, confirming just how professionalized the account-takeover-as-a-service (ATO-as-a-service) ecosystem has become. Speed was a deliberate operational feature: accounts were flipped before Meta’s response teams could intervene.

The Root Cause: AI Given Account-Level Authority Without Verification Controls

This incident is a textbook consequence of deploying an AI agent with the authority to execute sensitive, irreversible account actions without first verifying who it is talking to. A trained human support agent would have confirmed a caller’s identity before adding a new email address to an account. The chatbot did not.

The underlying issue is a form of prompt injection, where an attacker manipulates an AI system’s inputs to trigger unintended privileged actions. In this case, the AI’s own account management permissions became the attack vector. The chatbot was doing exactly what it was designed to do: help someone access an account. It simply had no reliable mechanism to distinguish the legitimate account owner from a stranger with a VPN and a target’s username.

Meta has confirmed the flaw has been patched. Company VP of Communications Andy Stone stated the issue is resolved and that Meta is actively securing affected accounts. Some victims, however, reported that they were unable to use the same AI system to recover their hijacked accounts and found no human support as a fallback. This secondary failure compounded the harm.

What This Means for Canadian Users and Businesses

Canada has approximately 14 to 15 million active Instagram users. For many Canadian small businesses, creators, restaurants, and service providers, an Instagram account is not just a social media profile: it is a core business asset, a direct marketing channel, and in many cases, the primary way customers find and contact them.

Under PIPEDA (Personal Information Protection and Electronic Documents Act), and Quebec’s more stringent Law 25, organizations that suffer a security incident resulting in unauthorized access to personal information are required to notify affected individuals and the Office of the Privacy Commissioner of Canada when there is a real risk of significant harm. While Meta’s patch is in place, businesses that had their accounts compromised during the active exploitation window may face questions about what customer data was accessible or exposed through those accounts.

The Canadian Centre for Cyber Security (CCCS) has consistently highlighted AI-enabled support tools and social engineering as growing vectors in its annual threat assessments. This incident is a real-world confirmation of that warning: AI tools integrated into account management functions without robust identity verification create a category of risk that traditional perimeter security does not address.

Canadian organizations using Instagram for customer communications, appointment bookings, or business operations should treat this as a prompt to review their social media security posture across all platforms, not just Meta’s.

Key Takeaways

  • A logic flaw in Meta’s AI Support Assistant allowed attackers to hijack Instagram accounts using only a target’s username and a geographically matched VPN, requiring no malware, no phishing, and no access to the victim’s email.
  • The attack chain exploited a form of prompt injection: the AI chatbot treated the conversation participant as the account owner without any identity verification step.
  • Compromised accounts included the Obama White House handle, a US Space Force official, security researcher Jane Manchun Wong, developer @albert, Sephora, and premium handles collectively valued at over $1 million.
  • According to 404 Media, threat actors had exploited this vulnerability since at least March 2026, roughly three months before it became publicly known.
  • Stolen accounts were sold immediately through private Telegram channels, reflecting a mature account-takeover-as-a-service market operating in real time.
  • Meta patched the flaw on June 1, 2026, and confirmed no backend systems were breached, though some victims found no human support fallback when attempting to recover their accounts through the same AI tool.
  • Canadian users and businesses face PIPEDA notification obligations if personal data was accessible through compromised accounts during the active exploitation period.

What You Should Do Now

  1. Enable app-based two-factor authentication immediately. Use an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy rather than SMS-based codes. Accounts protected by app-based 2FA were significantly harder to compromise in this incident. This applies to Instagram, Facebook, and all Meta-connected accounts.
  2. Audit the email address linked to your Instagram account. Log in to your Instagram settings, go to Personal Information, and confirm the registered email is a private, dedicated address that is not publicly associated with your profile or business. Attackers in this incident needed only your username and a VPN. They did not need your email until the chatbot handed them a code.
  3. Review all active sessions in Instagram’s Security Settings. Navigate to Settings, Security, and then Login Activity. Log out of any sessions you do not recognize. If your account was active during the June 1 exposure window, treat any unfamiliar active session as a potential compromise.
  4. Remove public references to your Instagram username from web directories and email signatures where possible. The attack required only a username as its starting point. Minimizing exposure of your handle on business directories, contact pages, and public listings reduces your attack surface.
  5. If you are a Canadian business owner, review your PIPEDA breach response plan. If your account was compromised and contained customer data, direct messages, or contact information, assess whether the breach meets the threshold for notification to the Office of the Privacy Commissioner of Canada and your affected customers.
  6. Do not rely solely on AI support tools for account recovery on any platform. Verify whether the platforms your business depends on offer a path to human support. The absence of a human fallback during this incident left some victims without recourse. Know your recovery options before you need them.
  7. Monitor your connected third-party apps. If your Instagram account was linked to scheduling tools, e-commerce platforms, or marketing automation services, review those connections under Settings, Security, Apps and Websites. Revoke access for any inactive or unrecognized integrations.

Leave a Comment