# Hackers Exploit Meta AI to Hijack Instagram Accounts > Source: > Published: 2026-06-03 08:20:55.126919+00:00 # Hackers Exploit Meta AI to Hijack Instagram Accounts Multiple security outlets report that attackers used Meta's AI-powered support assistant to take over high-profile Instagram accounts by tricking the bot into changing account email addresses. KrebsOnSecurity, TechCrunch, Ars Technica, PCMag and others published videos and screenshots circulated on Telegram showing attackers who used a VPN to approximate a target's region, started a password reset, then asked the Meta AI support assistant to link a new email address and send a verification code to that address. TechCrunch verified that the attacker-controlled mailbox received the reset code. Meta responded on X via VP of Communications Andy Stone: "This issue has been resolved and we are securing impacted accounts," according to multiple outlets. Editorial analysis: This incident underscores prompt-injection and privilege-management risks when conversational agents control account-recovery flows. ### What happened **Multiple outlets report** that attackers used a prompt-injection style trick against **Meta's AI support assistant** to gain control of several Instagram accounts, including the account for the Obama White House and the Instagram profile of the U.S. Space Force chief master sergeant, according to reporting by **KrebsOnSecurity**, **TechCrunch**, **Ars Technica**, **PCMag**, and **Engadget**. **Videos and screenshots circulated on Telegram** show an attacker using a VPN to present an IP address near the target's presumed location, initiating a password reset, and then opening a chat with the AI support assistant; the attacker typed a request to have the account's email changed to an attacker-controlled address, after which the assistant allegedly sent an 8-digit verification code to that attacker email, enabling a password reset, per **TechCrunch** and **PCMag**. **TechCrunch verified** that the attacker mailbox displayed in the video indeed received the reset code, and **Ars Technica** and **404 Media** report the exploit was publicly discussed on Telegram and may have been active since earlier in the year. **Meta's public response** on X was quoted by several outlets: Andy Stone, Meta VP of Communications, wrote, "This issue has been resolved and we are securing impacted accounts," per **TechCrunch** and **Engadget**. ### Editorial analysis - technical context This incident highlights two generic risks that appear across conversational-support deployments. First, when an AI agent is granted direct control over account-recovery workflows, prompt-injection techniques can be used to escalate privileges if conversational context or intent validation is weak. Second, reliance on coarse geolocation signals (for example, IP-region heuristics) can be circumvented using VPNs; sources describing the attack flow note VPN use to approximate a target region, which reduced false-positive triggers in the reported demonstrations. These are industry-pattern observations, not assertions about Meta's internal engineering choices. ### Context and significance Industry reporting frames this as a noteworthy case because it involves widely used consumer accounts and an AI agent that automates high-risk actions. Observed compromises of short-handle or high-value Instagram names, which outlets say are resold on gray markets, increase financial incentives for attackers, according to **KrebsOnSecurity**. For practitioners, the episode underscores that integrating LLM-driven assistants into safety-critical flows materially changes the attack surface: conversational inputs become an attack vector and automation reduces the number of manual checks between request and action. ### What to watch - •Monitor vendor advisories and changelogs for any account-recovery or support-bot privilege reductions; several outlets say Meta applied an emergency patch; **Ars Technica** reports it was implemented on May 29. - •Watch security-research posts and Telegram channels for additional proof-of-concept materials and claims of scope; multiple reports reference Telegram posts and videos. - •Check for broader industry guidance or regulator attention on AI agents that execute state-changing operations, since this case ties conversational AI to direct account control. ### For practitioners Editorial analysis: Companies deploying AI assistants into support workflows commonly confront choices about scope limiting, intent validation, and audit trails. Implementing stringent verification gating before any agent-initiated credential changes, logging human-review triggers for sensitive flows, and treating conversational inputs as adversarial can reduce exposure. These comments are framed as industry best-practice considerations and do not describe the internal posture of the companies involved. ## Scoring Rationale This is a high-impact security incident because multiple outlets corroborated an exploit that lets conversational AI perform credential-reset actions on widely used consumer accounts. The story matters to practitioners integrating AI into sensitive workflows and to security teams assessing conversational-agent privilege models. Practice with real Ad Tech data 90 SQL & Python problems · 15 industry datasets [Active Search Campaigns by BudgetEasy](/problems/sql/active-search-campaigns-by-budget) [High CPC Clicks & Poor Landing PagesMedium](/problems/sql/high-cpc-clicks-poor-landing-page) [Campaign ROAS by Attribution ModelHard](/problems/sql/campaign-roas-by-attribution-model) 250 free problems · No credit card [See all Ad Tech problems](/problems/datasets/adtech)