Meta's AI Chatbot Handed Hackers the Keys to Instagram Accounts
Meta's AI support assistant, deployed earlier this year to handle account recovery requests, was compromised by attackers who used it to steal high-value Instagram accounts. Over the past few months, the chatbot granted unauthorized access to accounts belonging to the Obama White House, Sephora, a senior US Space Force official, and security researcher Jane Manchun Wong. Meta pushed an emergency patch over the weekend after the accounts were briefly defaced with pro-Iranian imagery.
How the attack worked
The method was straightforward. Attackers located the target account owner's city-information available through public databases or basic research-then used a VPN to match the account's geographic region. This avoided triggering Instagram's security flags.
Next, they initiated a standard password reset and opened the support chat. They asked the AI bot to change the email address on the account. The bot complied and sent a one-time code directly to the attacker's inbox.
The chatbot had permission to modify accounts but lacked safeguards to verify it was actually talking to the account owner. Security researchers call this a "confused deputy"-a system with legitimate access but no way to confirm who it's helping. The concept dates back to the 1980s.
Even when Instagram's enhanced security triggered, attackers succeeded by submitting video deepfakes of their targets, created using photos harvested from Instagram itself.
Why accounts matter
Instagram accounts, particularly those with short or memorable usernames registered early, sell for thousands of dollars on underground markets. Beyond financial gain, attackers have blackmailed businesses that depend on these accounts for marketing.
What protects you
Multi-factor authentication (MFA) stopped the attack. According to cybersecurity reporter Brian Krebs, accounts with MFA enabled-including those using SMS codes-were not compromised.
To enable two-factor authentication on Instagram:
- Open Instagram Settings
- Navigate to your Meta Accounts Center
- Turn on Two-factor authentication (an authenticator app is stronger than SMS, but either beats nothing)
Do this now. A separate attack is already circulating using a modified version of Instagram on an Android emulator, designed to send prompts with hidden characters that manipulate the AI.
The bigger picture
This won't be the last AI chatbot security failure. As companies deploy AI for Customer Support to cut costs, their attack surface expands. Teams will continue making mistakes balancing security and functionality.
The specific Meta flaw is patched. The confused deputy problem is not. A chatbot with access to account systems but no way to verify identity is a structural vulnerability, not a one-time bug.
Meta communications executive Andy Stone said the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.
Your membership also unlocks:
