How Hackers Tricked Meta’s AI Chatbot into Handing Over High-Profile Instagram Accounts

What if I told you that hacking into a high-profile Instagram account didn’t require advanced coding skills, zero-day exploits, or a network of compromised servers? What if all it took was asking an AI chatbot nicely?

Over the first weekend of June 2026, the cybersecurity world watched in disbelief as a wave of high-profile Instagram accounts were hijacked. The attackers didn’t breach Meta’s core databases. Instead, they targeted the company’s automated customer service layer—specifically, the AI support chatbot introduced earlier this year.

By simply chatting with the bot and asking it to change the email addresses associated with targeted accounts, hackers successfully bypassed standard security protocols. Here is a look at exactly how this bizarre and incredibly simple exploit played out.

The Casualties

This wasn’t a quiet breach targeting inactive users. The attackers—allegedly a pro-Iranian hacking group—went after highly visible, valuable accounts. The hijacked pages were quickly defaced with pro-Iranian images and messages.

Among the confirmed victims were:

• The Barack Obama White House Instagram account.
• The Chief Master Sergeant of the U.S. Space Force.
• Global beauty retailer Sephora.
• Prominent security researcher (and former Meta employee) Jane Manchun Wong, who reported getting repeatedly logged out of her iOS app as her account was taken over.

Other highly coveted, short-handle Instagram usernames were also stolen and reportedly bundled for sale on the dark web for up to $1 million.

How the “Please Hand Over the Account” Exploit Worked

When an account gets locked out, recovering it used to involve a frustrating, weeks-long back-and-forth with an automated ticketing system. To reduce friction, Meta deployed a conversational AI assistant in March 2026 to handle tasks like password resets and email relinking.

The hackers realized that this AI assistant was a little too helpful.

According to videos and instructions circulated on Telegram and X, the exploit was shockingly straightforward:

1. Spoofing the Location: The attacker would use a VPN to connect to an IP address matching the target victim’s usual hometown, bypassing automated location safeguards.
2. Triggering the Bot: They would navigate to the Instagram login page, hit “forgot password,” enter the target’s username, and click the “Get Support” button to summon Meta’s AI bot.
3. Prompt Injection: Instead of following the normal flow of sending a code to the owner’s phone or email, the attacker simply sent a text prompt asking the bot to link the account to a new email address that the hacker controlled.
4. The Handover: The bot, eager to assist, would send an 8-digit verification code to the hacker’s email address.
5. Taking Control: The hacker pasted that code back into the chat. The AI then provided a “Reset Password” button, allowing the attacker to lock the original owner out.

At no point was the hacker required to prove ownership of the original account or access the victim’s inbox. The AI trusted the human on the other side of the screen blindly.

The “Confused Deputy” Problem in AI

In cybersecurity, there is a concept known as the “confused deputy” problem. It happens when a system with high privileges is tricked by a malicious party into misusing its authority.

Meta’s AI chatbot was granted the authority to modify sensitive account recovery information to help users. But because Large Language Models (LLMs) operate on natural language rather than rigid code constraints, the AI was susceptible to a “prompt injection” attack. The hackers manipulated the AI’s decision-making process by feeding it instructions that overrode its intended security rules.

It highlights a massive vulnerability as tech giants rush to replace human support staff with AI agents: bots are incredibly vulnerable to social engineering. They lack the intuition to realize that a random user asking to change the email on the official Obama White House account might be a bad actor.

The Fix (And How to Protect Yourself)

Meta pushed an emergency patch over the weekend to close the loophole. Meta spokesperson Andy Stone confirmed on X (formerly Twitter) that the issue has been resolved and the company is actively working to restore access to the impacted individuals.

While this specific loophole is closed, the incident leaves us with a stark reminder. As AI becomes more deeply integrated into the backbone of our digital lives, these kinds of prompt injection exploits will become more common.

There is, however, one silver lining: Multi-Factor Authentication (MFA).

The hackers themselves admitted on Telegram that their exploit failed against any account that had two-factor authentication enabled. Without MFA, the reset code went straight to the attacker’s email. With MFA, the account required a secondary code from an authenticator app or an SMS text, stopping the attack dead in its tracks.

If you haven’t already, take 60 seconds today to turn on MFA for your Instagram account. Because as this weekend proved, you can’t always trust the AI gatekeeper to recognize the bad guys.