Instagram Users Targeted by Hackers Amid AI Chatbot Vulnerabilities

TL;DR

• Hackers reportedly used Meta’s AI-powered Instagram support chatbot to help take over accounts by requesting email changes and password resets.
• Meta says the issue has been fixed and that it is taking steps to secure affected accounts and notify users.
• Reports say the abuse may have targeted high-profile accounts, but Meta rejected claims that global leaders’ accounts were breached.

Instagram's Security Loophole

Instagram has moved to close a security loophole that allowed attackers to manipulate its AI support system and gain unauthorized access to user accounts. The incident highlights how quickly AI-driven support tools can become security liabilities when they are allowed to touch account recovery and password reset flows.

AI Support Became the Attack Surface

According to multiple reports, hackers exploited Instagram’s support chatbot by pretending to be legitimate account holders and asking it to update linked email addresses. In some cases, attackers allegedly used VPNs to make their activity appear to come from the same location as the victim, helping them avoid automated security checks.

The reported method was deceptively simple: the attacker would identify a target username, request an email change through Meta’s AI support assistant, receive a verification code at an attacker-controlled email address, and then use that code to trigger a password reset. Security researchers described the flaw as a logic error in the system’s trust model, effectively turning the chatbot into a “confused deputy” that carried out sensitive actions on behalf of the wrong person.

What Meta Says Happened

Meta spokesperson Andy Stone said the issue has been resolved and that the company is taking measures to secure affected accounts. Stone also pushed back on claims that the exploit was used to compromise accounts belonging to global leaders, calling those reports “completely false.”

Meta has not publicly detailed how many accounts were affected, and reports remain unclear on the full scale of the abuse. Some accounts may have been accessed without the attacker ever controlling the original email inbox tied to the Instagram profile, which made the takeover process faster and harder to detect.

High-Profile Accounts in the Crosshairs

The episode drew attention because some reports linked the abuse to prominent accounts, including ones associated with well-known public figures and organizations. 404 Media reported that the compromised accounts allegedly included a White House account used by Barack Obama, the U.S. Space Force Chief Master Sergeant’s account, and Sephora’s account.

Meta’s own public response, however, has been more cautious, emphasizing that the vulnerability is fixed while disputing some of the more explosive claims circulating online. That gap between social-media rumors and verified incident details has made it difficult to confirm the exact scope of the breach.

Why This Matters for AI Security

The incident is likely to intensify scrutiny of AI systems that are allowed to perform administrative actions, not just answer questions. Meta had previously expanded AI support across Facebook and Instagram with capabilities that included account recovery functions such as password resets and identity verification.

That design can improve customer service, but it also creates a high-risk single point of failure if the AI accepts bad inputs or is too easily convinced to trust an attacker. Security experts are likely to view this as a textbook example of why AI assistants handling authentication should be tightly constrained, audited, and layered behind stronger human verification controls.

What Users Should Do Now

Instagram users should treat any unexpected account activity as urgent, especially if they receive password reset emails or notices about email changes they did not request. Users should also review recovery email addresses, enable stronger authentication methods where available, and report suspicious login activity immediately.

Even though Meta says the issue is fixed, the incident shows that account recovery systems remain attractive targets because they sit at the intersection of convenience and trust. As platforms increasingly lean on AI for support, the security of those systems will matter as much as the intelligence behind them.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.