Hackers Exploit Meta AI Support Bot to Hijack High‑Profile Instagram Accounts

Jun 11, 2026 - 14:00
Jun 11, 2026 - 09:47
 0
Hackers Exploit Meta AI Support Bot to Hijack High‑Profile Instagram Accounts
Exhibit at the World's #1 Virtual Deal-making Exhibition for trade and commerce.
Exhibit at the World's #1 Virtual Deal-making Exhibition for trade and commerce.

Pro‑Iranian hackers briefly seized control of several high‑visibility Instagram accounts — including the Obama White House account and the Chief Master Sergeant of the U.S. Space Force — after instructions circulated on Telegram showing how to manipulate Meta’s AI support assistant into resetting account passwords.

How the Instagram Account Takeover Worked

Beginning May 31, Telegram channels tied to pro‑Iranian groups shared a video demonstrating a surprisingly simple exploit. According to the footage, attackers:

  • Used a VPN to mimic an IP address near the victim’s hometown
  • Initiated a standard Instagram password‑reset request
  • Selected the option to chat with Meta’s AI support assistant
  • Instructed the bot to add a new email address to the account
  • Received a one‑time code at that email, enabling a full password reset

The Telegram account behind the video also posted screenshots of defaced Instagram profiles, claiming the exploit allowed them to steal rare, short‑handle usernames — some allegedly valued at more than $500,000 on underground markets.

Meta’s Response

Meta has not issued a detailed public statement, but the company reportedly confirmed that the dormant Obama White House Instagram account was compromised. Security researchers at thecybersecguru.com reported that Meta deployed an emergency patch and emphasized that no internal databases were breached.

The blog noted that Instagram’s historically slow and automated support process likely motivated Meta to introduce an AI‑driven recovery assistant designed to help users with:

  • Relinking lost email addresses
  • Triggering password resets
  • Verifying account ownership

However, that same convenience created a new attack vector.

Why AI‑Driven Account Recovery Is a Growing Security Risk

Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, warned that AI‑powered support systems introduce new social‑engineering risks. Just as human support agents can be manipulated, AI chatbots can be persuaded into performing unauthorized actions.

Goldin noted that AI chatbots expand the attack surface, and similar exploits are likely to emerge as more platforms automate sensitive account‑recovery workflows.

How Users Can Protect Their Instagram Accounts

The attackers themselves admitted that their method did not work on accounts protected by multi‑factor authentication (MFA). Even Instagram’s weakest MFA option — SMS one‑time codes — would have blocked the takeover.

To secure your accounts, enable the strongest MFA available, such as:

These options significantly reduce the risk of unauthorized access, even when platform support tools are exploited.

Reward this post with your reaction or TipDrop:

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Angry Angry 0
Sad Sad 0
TipDrop TipDrop 0
Brian Krebs Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. In 2014, he was profiled in The New York Times, Business Week, NPR’s Terry Gross, and by Poynter.org. More recently, he was invited to an “Ask Me Anything” discussion on Reddit about investigative reporting.
Silvergoldbull - buy and sell gold and silver securely.
Silvergoldbull - buy and sell gold and silver securely.