Meta’s AI Support Bot Flaw Enables Instagram Account Hijacks

How Meta’s AI Support Bot Was Exploited

Meta’s AI support bot flaw enabled attackers to hijack Instagram accounts by bypassing two-factor authentication. This critical vulnerability came to light when hackers exploited a logic flaw in the AI-powered chatbot. Instead of using traditional hacking techniques or phishing, attackers simply requested the bot to link a new email address to a victim’s account. This method allowed them to reset passwords and lock out legitimate owners.

The attack started with identifying high-value Instagram handles—often short usernames or verified profiles worth thousands on underground markets. Hackers used VPNs or residential proxies to impersonate the victim’s location and avoid detection by Instagram’s automated fraud tools.

Once they targeted an account, attackers engaged Meta’s AI Support Assistant. Using natural language, they requested an email change for the account, providing their own email address. The bot, which had backend privileges, processed the request without checking the attacker’s identity. It then sent a verification code directly to the attacker’s email. After the code was relayed back, the bot enabled the password reset process, cycling backup codes and effectively locking out the original account owner.

Remarkably, this process required no malware, phishing link or access to the victim’s email. Legitimate owners received no alerts or warnings during the compromise. Accounts were taken over in minutes, with stolen handles quickly listed for resale on platforms like Telegram.

High-Value Accounts Targeted in the Attack

This was not a broad attack, but a targeted operation. Hackers focused on high-value, dormant or verified Instagram accounts. The following notable accounts were confirmed as compromised:

• @obamawhitehouse: The dormant Obama-era White House account, inactive since 2017, was seized and defaced with political content.
• @hey and @jowo: Short handles with a combined estimated value above $1 million, documented by crypto-crime researchers.
• Sephora: The official Instagram account of the retailer was hijacked.
• US Space Force: The Instagram profile saw unauthorised access and disruption.

These incidents highlight the scale of the problem and how quickly high-value profiles can be compromised and resold. Stolen usernames appeared almost immediately on underground forums, making recovery difficult for legitimate owners.

Why Meta’s AI Support Bot Flaw Matters

This flaw is significant because it undermined trust in automated support systems and exposed the risks of AI-powered account management. For organisations and brands, Instagram is more than a social platform—it is a vital channel for marketing, customer engagement and reputation.

By bypassing two-factor authentication, attackers rendered traditional account security measures ineffective. Legitimate users were locked out, often without any notification, leaving them unable to respond quickly. The rapid speed of these hijacks and the value of compromised handles demonstrate the consequences for businesses and institutions.

UK small and medium-sized businesses (SMBs) that rely on Instagram should take particular note. Brand reputation and customer trust can be damaged in minutes if an account is hijacked. The flaw also illustrates how attackers are adapting to exploit weaknesses in AI-driven tools, rather than traditional phishing or malware.

Protecting Your Organisation’s Instagram Accounts

Organisations must review their Instagram security practices in light of this incident. Here are practical steps to help minimise risk:

• Review Admin Roles: Regularly audit who has access to your Instagram account, removing unnecessary or outdated permissions.
• Update Recovery Contacts: Ensure that recovery emails and phone numbers are accurate and monitored by trusted personnel.
• Monitor for Unusual Activity: Set up alerts for login attempts, password changes and suspicious behaviour. Check for unexpected logout events or missed alerts.
• Prepare Rapid Recovery Procedures: Have a documented plan for account recovery, including escalation contacts with Instagram support and backup communication channels.
• Educate Staff: Train staff on recognising signs of account compromise and reporting incidents swiftly.

Additionally, consider enabling extra authentication factors where possible, such as app-based authentication or hardware tokens. While two-factor authentication was bypassed in this attack, layered security controls can still slow down adversaries and provide more opportunities for detection.

Lessons for AI-Driven Support Systems

This incident underscores the importance of rigorous testing and oversight for AI-powered support tools. Organisations deploying chatbots or automated account management features should:

• Conduct regular security audits to identify logic flaws and privilege misuse.
• Implement strict identity verification steps for sensitive operations like email changes and password resets.
• Monitor chatbot activity logs for anomalous patterns and unauthorised requests.
• Provide clear user alerts for account changes, ensuring owners are immediately informed of modifications.

Finally, maintain up-to-date incident response plans for social media accounts. Rapid detection and recovery are crucial to minimise reputational and operational harm.

Conclusion: Strengthening Instagram Account Security

The Meta AI support bot flaw illustrates how attackers can exploit new channels and technologies to bypass established security controls. By understanding the risks and taking proactive steps, organisations can better protect their Instagram accounts and brand reputation. Regular reviews, vigilant monitoring and robust recovery procedures are essential for SMBs and larger institutions alike.

Originally reported by cybersecuritynews.com.