Instagram has resolved a security issue that allowed several users’ accounts to get hacked. The attack appeared to rely on tricking Meta’s own AI-powered support chatbot into granting access to a victim’s account.
Over the weekend, several users on Reddit claimed that their Instagram accounts had been compromised, and a number of users on X warned of similar account hijackings. The compromised accounts include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentinvegna.
Security researcher Jane Wong said her Instagram account was also taken over.
“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” said Wong. “Quite concerning.”
A video posted on X showed the step-by-step process to hack someone’s Instagram account.
The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account.
TheTechSpot was able to verify that the hacker’s public email mailbox, which was displayed in the video, effectively received the verification code.
The attack relied on the fact that at no point the hacker had to take over the legitimate email address linked to the victims’ Instagram account.
On Monday, Instagram spokesperson Andy Stone said in a reply to Wong’s post and others that the issue was now fixed. It’s unclear how many Instagram users had their accounts improperly accessed.
Meta did not immediately respond to TheTechSpot request for comment.
Instagram fixes security flaw that allowed account takeover via Meta’s AI
Instagram has addressed a security issue that allowed attackers to take control of users’ accounts by exploiting a weak interaction in Meta Platforms’ artificial intelligence-assisted system.
The case became public after several users reported on platforms like Reddit and X that their accounts had been compromised, including well-known institutional and official profiles.
How the attack happened
According to security reports and analysis published online, the attack did not rely on directly cracking passwords, but on manipulating the account recovery process.
The steps used by the attackers included:
hiding their real location via VPN
communication with the Meta AI Support Assistant system
requesting to add a new email to the victim’s account
receiving the verification code sent by the system
using the code to change the password and take control of the account
This method was effective because it did not require access to the user’s original email.
Accounts reported as affected
Various reports have mentioned:
accounts linked to the former Obama administration (active until 2017)
an account of a U.S. Space Force official
the account of security researcher Jane Wong
Jane Wong stated that she had noticed multiple attempts to recover and change the password without authorization, before her account was taken under control.
Instagram’s response
A representative for Instagram confirmed that the issue has been addressed and fixed, but did not provide full details on:
the number of users affected
the extent of account compromise
Meanwhile, Meta Platforms has not published a full technical analysis of the incident.
Security experts point out that this incident points to a broader problem:
AI systems can be manipulated through fake requests
account recovery processes remain a weak point
automating support can create new security risks
This case is seen as an example of the risk of advanced social engineering with the help of AI.
Conclusion
The incident shows that even the largest social platforms can be vulnerable when artificial intelligence systems are used in security processes. Although the problem has been resolved, the incident raises serious questions about how AI is integrated into the protection of user accounts.
