Attackers Exploit Meta AI to Hijack Dozens — by Some Reports Hundreds — of Instagram Accounts

Hackers took control of dozens — by some reports, hundreds — of Instagram accounts over a single weekend by manipulating Meta’s AI assistant, seizing high‑profile pages including the long‑dormant Obama White House account and posting pro‑Iranian images and messages. The incident matters because it used an automated customer‑service flow to change account recovery details rather than exploiting a conventional software vulnerability, exposing systemic risks in AI‑driven account management.

The method, shared online as a step‑by‑step recipe, relied on coaxing the Meta chatbot to attach an attacker‑controlled email to a target Instagram profile. Operators used a VPN with an IP address close to the account holder’s reported hometown to make requests appear legitimate; Meta AI then sent a one‑time code to the supplied email, which the attackers used to authenticate the link and trigger a password reset.

The compromise struck verified and otherwise locked‑down accounts, not just throwaway profiles. Alongside the Obama White House page, reported victims included the Office of the Chief Master Sergeant of the U.S. Space Force, cosmetics retailer Sephora and security researcher Jane Wong. Wong described unexpected password resets and repeated logouts from the Instagram iOS app; the total number of affected accounts has not been confirmed. Meta spokesperson Andy Stone posted that “this issue has been resolved and we are securing impacted accounts.” The flaw surfaced about three months after Meta shifted some customer‑service tasks, including forgotten‑password flows, to AI systems — a sequencing critics highlight when assessing the risks of automating sensitive recovery operations.

Security practitioners and affected users emphasized the same root problem: an automated agent was permitted to complete account‑recovery actions without human review or stronger verification tied to the account owner. Observers noted that allowing one AI system to trick another, with no human in the loop, enabled the attackers to defeat protections on verified, supposedly higher‑security accounts.

For builders and operators the episode outlines concrete mitigation priorities: prevent automated email‑linking and password resets for high‑risk or verified accounts, require confirmation through existing account channels, enforce stricter multi‑factor verification before recovery actions, and flag unusual IP or address patterns for human review. More broadly, the incident raises questions about how far AI should be entrusted with authentication decisions and what incident‑response controls are required when automation handles sensitive user flows.