Hackers Used Meta’s Own AI Support Bot to Take Over Instagram Accounts And It Was Shockingly Simple
In one of the most alarming cybersecurity incidents of 2026, hackers exploited Meta’s AI-powered support chatbot to hijack hundreds potentially thousands of Instagram accounts. The attack required no sophisticated hacking tools, no phishing kits, and no insider access. Hackers simply asked the chatbot to hand over the accounts, and it complied.
The widespread hacking campaign, which came to light over the weekend of May 31–June 1, 2026, targeted high-profile Instagram accounts including those with rare “OG” handles short, desirable usernames taken by the platform’s earliest users. Among the victims: the dormant Obama White House account and the Instagram account of the U.S. Space Force’s chief master sergeant, John Bentivegna.
How the Attack Worked
The mechanics of the exploit were disturbingly straightforward. Meta announced in March 2026 that it was deploying an AI-powered support chatbot designed to “resolve account issues from start to finish,” including the ability to “reset your password securely.” This gave the chatbot elevated permissions that previously required human oversight.
Hackers discovered that by simply telling the chatbot they were the owner of a target account and requesting that the account be linked to a new email address, the bot would comply no verification required. Once the email was changed, the attacker could reset the password and lock out the legitimate owner entirely.
“These attacks were so simple that calling them hacks may be giving the people behind them too much credit,” TechCrunch noted in its reporting, “while at the same time not putting enough blame on Meta for not preventing rudimentary attacks from hijacking people’s accounts.”
Meta’s Response and Its Shortcomings
On Monday, June 2, Meta spokesperson Andy Stone stated that “the issue that did happen has already been fixed.” However, reports of new account takeovers continued to emerge on Tuesday, June 3. TechCrunch observed active discussions in a Telegram channel where hackers were still advertising apparently stolen handles for sale suggesting the fix was incomplete.
Meta subsequently secured affected accounts and began sending password reset emails to victims. Instagram users began receiving notifications warning them that “suspicious activity” had been detected and that the company had taken measures to secure their accounts.
The Broader Implications for AI-Powered Customer Support
This incident exposes a critical vulnerability in the rush to automate customer support with AI. When AI agents are granted the ability to perform sensitive account actions password resets, email changes, account recovery without robust identity verification, they become a single point of failure that bad actors can exploit at scale.
Security researchers have long warned about the risks of “agentic AI” AI systems that can take real-world actions on behalf of users. This incident is a stark, real-world demonstration of those risks. As companies race to deploy AI agents across their platforms, the Meta/Instagram breach serves as a cautionary tale: AI automation without proper guardrails is a security liability, not just a feature.
For quality tech news, professional analysis, insights, and the latest updates on technology, follow TechTrib.com. Stay connected and join our fast-growing community.
TechTrib.com is a leading technology news platform providing comprehensive coverage and analysis of tech news, cybersecurity, artificial intelligence, and emerging technology. Visit techtrib.com.
Contact Information: Email: news@techtrib.com or for adverts placement adverts@techtrib.com
About The Author
