Meta AI Security Flaw Exposed: Hackers Hijack Instagram Accounts Through Chatbot Exploit

As artificial intelligence becomes increasingly integrated into customer support systems, cybersecurity experts continue to warn that even advanced AI tools can introduce new vulnerabilities if not properly secured. Meta recently faced such a challenge after reports emerged that hackers had exploited its AI-powered support chatbot to gain unauthorized access to Instagram accounts.

The incident drew widespread attention after several users reported account takeovers on social media platforms, raising concerns about the security of AI-driven support systems and the protection of user accounts.

Although Meta has since addressed the issue, the episode highlights how cybercriminals are constantly finding new ways to exploit automated systems.

Reports of Instagram Account Takeovers Surface

Between May 30 and May 31, multiple Instagram users reported that their accounts had been compromised. Several complaints surfaced on platforms such as Reddit and X, where affected users described being unexpectedly locked out of their accounts.

High-Profile Accounts Also Affected

The reported attacks did not appear to be limited to ordinary users. Among the accounts reportedly impacted were the Obama White House Instagram page and John Bentivegna, the chief master sergeant of the United States Space Force.

Cybersecurity researcher Jane Wong also disclosed that her Instagram account had been compromised during the incident.

Jane Wong Shares Her Experience

“The password got changed without my knowledge, and I was getting different password reset attempts throughout yesterday. And I got repeatedly logged out from the IG iOS app,” Wong said in the post.

Her account of the incident added credibility to concerns that a broader vulnerability might have been exploited.

How Hackers Exploited Meta’s AI Chatbot

According to demonstrations shared online, including a video posted by Dark Web Informer on X, attackers allegedly used a combination of location spoofing and manipulation of Meta’s AI support assistant to gain access to targeted Instagram accounts.

Step 1 – Location Spoofing

The attacker reportedly first used a Virtual Private Network (VPN) to mimic the victim’s location. This step was intended to help bypass Instagram’s automated security checks and make the login attempt appear legitimate.

Step 2 – Engaging Meta’s AI Support Assistant

After masking their location, the attacker initiated a conversation with Meta’s AI-powered support chatbot and requested that a new email address be linked to the targeted Instagram account.

Step 3 – Verification Process

The chatbot allegedly sent a verification code to the email address supplied by the attacker. Once the code was received, it was provided back to the chatbot for verification.

Step 4 – Password Reset

Following successful verification, the chatbot reportedly displayed a “Reset Password” option. The attacker could then create a new password and effectively take control of the account.

This process bypassed traditional recovery safeguards and gave unauthorized users access to victim accounts.

Meta Responds and Fixes the Security Issue

Meta moved quickly after reports of the exploit gained attention online.

On June 1, Instagram spokesperson Andy Stone responded publicly to Jane Wong’s post, confirming that the security vulnerability had been fixed.

Vulnerability No Longer Active

According to Stone, the flaw had previously allowed attackers to manipulate Meta’s AI support chatbot into redirecting password reset codes to unauthorized email addresses.

Once discovered, Meta implemented corrective measures to prevent further exploitation and protect user accounts from similar attacks.

What This Means for Instagram Users

The incident demonstrates that even sophisticated AI-powered systems can become targets for cybercriminals. As companies increasingly deploy AI for customer support, security experts emphasize the importance of combining automation with strong verification controls.

Importance of Two-Factor Authentication

One notable aspect of the incident is that users with two-factor authentication (2FA) enabled were reportedly not affected by the exploit.

Two-factor authentication adds an extra security layer by requiring users to verify their identity through a secondary method, such as a mobile device or authentication app.

Recommended Security Measures

Instagram users can strengthen account security by:

• Enabling two-factor authentication (2FA).
• Reviewing login activity regularly.
• Updating passwords periodically.
• Avoiding password reuse across multiple platforms.
• Monitoring account recovery settings.
• Keeping email accounts secure with strong passwords.

Growing Challenges in AI-Powered Security

As artificial intelligence becomes more deeply embedded in digital platforms, companies face the challenge of balancing convenience with security.

AI-powered customer service tools can streamline support processes and improve user experiences, but vulnerabilities in automated systems can create opportunities for abuse if safeguards are not robust enough.

The Meta incident serves as a reminder that cybersecurity must evolve alongside AI innovation. Industry experts increasingly advocate for stronger authentication mechanisms, human oversight in sensitive account recovery processes, and continuous security testing of AI-driven systems.

Conclusion

The recent Instagram account takeover incidents highlight how cybercriminals can exploit weaknesses in emerging technologies, including AI-powered support tools. By reportedly manipulating Meta’s chatbot and leveraging password recovery processes, attackers were able to gain unauthorized access to several accounts, including those belonging to high-profile users.

Although Meta has confirmed that the vulnerability has been fixed, the incident underscores the importance of maintaining strong cybersecurity practices. Users are encouraged to enable two-factor authentication, monitor account activity, and review security settings regularly. As AI becomes a larger part of digital services, both technology companies and users must remain vigilant to ensure convenience does not come at the cost of security.