Meta’s Own AI Was Exploited to Hijack Instagram Accounts

Meta’s recent rollout of an AI‑driven support assistant was intended to streamline password resets and two‑factor setup, but the tool inadvertently opened a backdoor for attackers. By simply requesting the bot to associate a new email address, hackers received a verification code, enabling them to overwrite credentials on accounts lacking MFA. The method, captured in a Telegram video, demonstrates how conversational AI can be weaponized when verification steps are insufficient, especially in platforms with billions of active users.

The incident reverberated across the social media landscape as prominent accounts—including the @obamawhitehouse Instagram, a US Space Force chief’s profile, and Sephora’s brand page—were temporarily commandeered. These high‑visibility takeovers amplify concerns about the robustness of Meta’s security architecture, particularly as the company pushes AI integration while trimming its trust‑and‑safety workforce. Experts warn that reliance on AI without rigorous safeguards can erode user confidence, prompting regulators and advertisers to scrutinize platform resilience more closely.

Looking ahead, Meta must balance rapid AI deployment with hardened authentication protocols. Reinforcing multi‑factor authentication, instituting stricter AI request validation, and restoring dedicated security teams are immediate steps to mitigate future exploits. The episode serves as a cautionary tale for the broader tech industry: AI can accelerate service delivery, but without disciplined security oversight, it can also amplify attack surfaces, jeopardizing both brand reputation and user data integrity.