Log into any Instagram by asking Meta’s AI nicely

2026-06-02 · Source: Pivot to AI · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Novice, medium

Summary

Meta's AI Support Assistant, introduced in March for customer service, has enabled a critical vulnerability in Instagram account recovery. Attackers can seize any Instagram account by identifying the owner's location, connecting via a VPN endpoint nearby, and then instructing the Meta AI bot to send a recovery code to a new, attacker-controlled email address. This process effectively bypasses two-factor authentication and grants full control. The security flaw, which reportedly existed for weeks or months, gained public attention after Iranian hackers demonstrated it on Telegram. Meta implemented AI to accelerate high-value account recovery, inadvertently granting a "hallucinating chatbot" highest-level access to sensitive security functions. Meta's Andy Stone confirmed the issue was resolved and impacted accounts secured.

Key takeaway

For AI Security Engineers evaluating chatbot deployments, this incident highlights the extreme risks of integrating AI agents with high-privilege system access. You must implement rigorous security audits and isolation for AI-driven automation, especially in account recovery or authentication workflows. Prioritize human oversight or multi-factor approval for any AI action that can alter user credentials or bypass existing security measures like 2FA, even if it impacts speed.

Key insights

Granting AI chatbots high-level system access without robust guardrails creates severe security vulnerabilities.

Principles

• AI automation of critical security processes introduces new attack vectors.
• Chatbots are susceptible to prompt injection for unauthorized actions.
• Two-factor authentication can be bypassed by core system vulnerabilities.

Method

Attackers identify a target's location, use a local VPN, then prompt Meta's AI Support Assistant to send an account recovery code to a new, attacker-controlled email.

In practice

• Audit AI systems for unauthorized access to critical functions.
• Implement strict access controls for AI agents.
• Verify AI outputs in security-sensitive workflows.

Topics

• Meta AI
• Instagram Security
• Account Recovery
• Chatbot Vulnerabilities
• Prompt Injection
• Two-Factor Authentication

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, Tech Journalist

Related on AIssential

• Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked — Meta's AI support bot allowed one-shot Instagram account takeovers via simple requests, exposing critical integration flaws.
• Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email — Meta's AI support chatbot was exploited via prompt injection to hijack Instagram accounts, bypassing 2FA and automated identity checks.
• Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts — Meta's AI support chatbot was exploited via prompt injection to facilitate Instagram account takeovers, highlighting risks of AI agents with elevated permissions.
• Podcast: Hackers Asked Meta AI To Let Them In. It Worked — The Meta AI incident reveals critical vulnerabilities in AI systems when handling sensitive account management requests.
• Prompt-inject ChatGPT with any web page — Chatbots inherently struggle to differentiate instructions from data, making prompt injection an unfixable security vulnerability.
• Hacking Meta’s AI Chatbot — LLM chatbots are inherently untrustworthy for security-critical applications, as attack vectors cannot be blocked comprehensively.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Pivot to AI.