Meta AI Support Bot Exploit Lets Hackers Hijack High‑Profile Instagram Accounts

Meta AI support bot vulnerability triggers Instagram hijacks

Over the weekend, the Instagram feeds of the Obama White House and the U.S. Space Force’s senior enlisted leader displayed pro‑Iranian graphics after a Telegram‑circulated tutorial showed how to coerce the Meta AI support bot into resetting passwords. Within minutes, attackers spoofed a VPN near the target’s hometown, initiated a password reset, then chatted with the AI assistant to link a fresh email address. The bot dutifully mailed a one‑time code, granting full account control.

Step‑by‑step of the breach

The Telegram video demonstrated three moves: 1) launch a VPN session with a local IP, 2) request a password reset, 3) instruct the AI to associate a new email. Once the code arrived, the intruder entered it and seized the account.

“AI chatbots create a fresh attack surface; we will see more of these exploits,” said Ian Goldin, threat researcher at Lumen’s Black Lotus Labs.

Meta’s spokesperson Andy Stone confirmed the flaw was patched on May 31, adding that no back‑end database was compromised. The emergency fix, reported by Reuters, restores the traditional verification flow and disables email‑linking via the bot. Security analysts note that even the weakest form of multi‑factor authentication—SMS codes—would have blocked the attack; accounts with any MFA in place were untouched. The Telegram post also claimed the stolen handles could fetch ↑ $500k on the resale market, underscoring the monetary lure of short, memorable usernames. Users are urged to enable robust MFA, preferably hardware‑based security keys, to mitigate future AI‑driven social engineering attempts. Bloomberg warns that as platforms automate support, attackers will increasingly target conversational agents.

Dispatch from Kaelen Frost (Lead Cybersecurity Analyst).