Technology

Hackers hijacked 20,000 Instagram accounts by tricking Meta's AI chatbot

Attackers exploited Meta's AI Support Assistant to add unauthorised email addresses to accounts they didn't own

Published June 08, 2026
Make us preferred on Google
Hackers hijacked 20,000 Instagram accounts by tricking Meta's AI chatbot
Hackers hijacked 20,000 Instagram accounts by tricking Meta's AI chatbot

Hackers have exploited a flaw in Meta's AI-powered support chatbot to take over more than 20,000 Instagram accounts, including profiles linked to the Obama-era White House and the US Space Force, using an attack method that required no technical sophistication whatsoever.

The hackers conducted a password reset on an Instagram account by selecting “AI Support Assistant” from the Meta company as the contact method for the reset procedure and then requested the chatbot to add an email to the account.

Advertisement

This request was completed without requiring the hacker to be logged into the account. The code for verification was sent to the email provided by the hacker, who used it to change the password to the account.

The process required no hacking tools, no code, and no special access. Dark Web Informer posted a video of the exploit in action.

TechCrunch reported that high-profile accounts were among those compromised. Among those are the Instagram page of the White House from the Obama administration that does not seem to have been active since 2017 and the page of Chief Master Sergeant John Bentivegna of the United States Space Force.

Later, Meta disclosed that about 20,225 Instagram accounts had been hijacked. While Meta admitted that some accounts may be real accounts whose takeover was requested by the users, most of them did not involve any request on the part of the owner of the accounts.

The attackers who were able to take over user accounts would have had access to an extensive range of personal details: profile information, email addresses, phone numbers, dates of birth, direct messages, posts on social media, and account activity logs.

For accounts that were high-profile or verified, there would be any private messages or information about followers that would have been saved.

Meta has voided all password reset links that were sent out using this vulnerability and forced the users to go through a mandatory security step with a password reset.

Meta disabled the abused AI support tool immediately upon becoming aware of the exploit and has said it will only re-enable it once the underlying vulnerability has been fixed. 

Pareesa Afreen
Pareesa Afreen is a reporter and sub editor specialising in technology coverage, with 3 years of experience. She reports on digital innovation, gadgets, and emerging tech trends while ensuring clarity and accuracy through her editorial role, delivering accessible and engaging stories for a fast-evolving digital audience.
Share this story: