← BACK TO FEED
MetaInstagramAI securityaccount takeoveragentic AI

Meta's AI Assistant Handed Hackers the Keys to High-Profile Instagram Accounts

Hackers exploited a "confused deputy" logic flaw in Meta's AI-powered account recovery assistant to take over hundreds of high-profile Instagram accounts, including those of the Obama White House, Sephora, and a senior Space Force official. By simply asking the chatbot to link a new email address to targeted accounts, using VPNs to spoof locations and AI-altered photos to bypass identity checks, attackers were able to reset passwords and circumvent two-factor authentication without alerting victims. Meta has since patched the vulnerability, but the incident highlights the critical risk of granting AI agents broad system access without robust authorization controls.

Meta's AI-powered account recovery chatbot was used last week to hijack a string of high-profile Instagram accounts, including the Obama White House handle, cosmetics giant Sephora, and the account of John Bentivegna, Chief Master Sergeant of the Space Force. The mechanism was embarrassingly simple.

Attackers exploited what security researchers call a "confused deputy" flaw, a class of vulnerability that has been documented for decades. The basic idea: trick a system with elevated privileges into doing your dirty work for you. In this case, Meta's AI assistant had direct API access to account management functions, including the ability to re-link email addresses and reset passwords. It was, in short, a very helpful bot with very few questions.

Hackers simply told the chatbot they had lost access to their email or been hacked, asked it to link a new address to someone else's account, and the AI complied. No verification. No friction. The bot then sent a confirmation code to the attacker's freshly linked email, which was all that was needed to lock the real owner out.

To sidestep Meta's fraud detection, attackers ran their sessions through VPNs, making it appear they were connecting from the victim's usual location. When the chatbot requested a selfie for identity verification, they fed it AI-manipulated versions of the target's photos. Reportedly, the whole process also bypassed two-factor authentication, and several victims say they received no notification that a password reset had even been attempted.

Hundreds of accounts were reportedly compromised and put up for sale on dark web markets almost immediately. Some of the people involved were cheerfully posting tutorials showing others how to do it.

Meta says the vulnerability has been fixed and the exploit no longer works. How many accounts were taken over before that fix landed remains unclear. The company had not responded to press requests for comment at time of writing.

Dan Moore, senior director at FusionAuth, put it well: "This is a great illustration of why AI agent authorization is the harder, and more critical, problem than authentication. Meta's bot verified nothing about who was asking; it just helpfully did what it was told to do."

That observation cuts to the heart of something the industry is glossing over. There is considerable energy going into preventing AI from saying offensive or harmful things. Rather less thought has gone into whether an AI agent should be allowed to take consequential, irreversible actions based on nothing more than a politely worded request.

An AI that can reset your password on demand is not an assistant. It is a liability.