This is one of those stories that makes you rub your eyes. Hackers took over high-profile Instagram accounts — not through sophisticated exploits or zero-days, but by asking Meta’s AI support chatbot to change the email address on the target account. And the bot did it.
How the Attack Worked
The process was disturbingly simple: turn on a VPN to spoof the target’s location. Open a chat with the Meta AI Support Assistant. Ask it to add a new email address to the account. The bot sends a verification code to the hacker’s email, the hacker enters the code, gets a ‘Reset Password’ button — and that’s it.
No password needed. No security question. No human agent getting suspicious.
Who Got Hit
The victim list reads like a who’s who: the official Barack Obama White House account, the Chief Master Sergeant of the US Space Force, and Sephora’s Instagram profile. Instagram has since started notifying affected users.
The Only Defense
According to the hackers themselves, the attack failed under exactly one condition: when the target account had two-factor authentication (MFA) enabled. That’s the good news. The bad news: most accounts don’t have MFA turned on.
Meta’s Response
Instagram spokesperson Andy Stone said the issue was fixed. However, security researchers reported that attacks continued even after the supposed fix.
What This Means
The case highlights a fundamental problem: when AI chatbots get access to security-critical functions — like changing email addresses — social engineering suddenly becomes scalable. The hacker doesn’t need to convince a human anymore. They just need the bot to classify the request as legitimate.
For anyone still not using two-factor authentication: this is your wake-up call.
Sources: 404 Media, TechCrunch, Krebs on Security