Meta AI Exploited to Hijack High-Profile Instagram Accounts

A flaw in Meta's AI-powered support system allowed attackers to hijack Instagram accounts without stealing passwords, deploying malware, or sending a single phishing link. All it took was knowing what to type.

Over the weekend, multiple high-profile Instagram accounts were compromised after attackers exploited Meta AI's account recovery assistant to reassign account credentials to addresses they controlled. The attack bypassed two-factor authentication entirely, locked victims out within minutes, and left them with no path to human support. Meta pushed an emergency patch Friday night, but the damage was already done.

How Attackers Used Meta AI for Account Hijacking

To understand the attack, you first need to understand what Meta's AI support assistant was built to do. Instagram has long struggled with human support capacity. Recovering a locked account can take days of back-and-forth with automated ticketing systems. Meta deployed a conversational AI layer to handle common recovery tasks: relinking a lost email address, triggering password resets, verifying account ownership.

To perform those functions, the AI needed real write access to account management APIs. That access became the attack surface.

The method was straightforward. An attacker identified a target account and opened a conversation with the Meta AI support assistant. They sent a message asking the bot to link a new email address to the target username, providing their own email as the destination. The bot complied. It routed a password reset link to the attacker's address, no verification to the account's actual owner, no secondary confirmation, no friction.

Once the link arrived, the attacker reset the password, cycled the backup codes, and the original owner was out. The whole process took minutes.

Bypassing Identity Checks with AI-Generated Video

In cases where Meta's system prompted a selfie verification, attackers had a workaround ready. They pulled public photos from the target's Instagram profile, processed them through an AI video generator to produce a moving facial animation, and submitted the result to Meta's automated verification system. The system accepted it.

To avoid triggering geographic fraud signals, attackers used a VPN configured to match the target's expected location, information readily available from the victim's own public profile. The attack required no special tooling, no insider access, and no technical expertise beyond knowing thesteps.

High-Value Accounts Targeted and Sold Within Minutes

The accounts targeted were not random. Attackers focused on so-called "OG" handles: short usernames, dictionary words, rare two and three-character accounts that trade for significant sums on underground markets. Stolen handles were listed on Telegram almost immediately after compromise, with brokers already set up to move inventory fast.

Among the confirmed victims were app researcher Jane Manchun Wong, the handles @hey and @jowo, and the @korn account. The dormant @obamawhitehouseaccount, inactive since the 2017 presidential transition, was also taken over and briefly used to post pro-Iranian content before Meta intervened.

Researchers tracking underground markets estimated the combined gray-market value of the stolen handles at over one million dollars. Because Meta's dispute resolution process runs on days, not minutes, attackers had a workable window to profit before any account was restored.

The Confused Deputy Problem

Security researchers identified the underlying flaw as a classic "confused deputy" vulnerability. The concept describes a scenario where a legitimate intermediary holds elevated privileges that an attacker lacks directly. By manipulating the intermediary, the attacker causes it to exercise those privileges on their behalf.

In this case, Meta AI held write access to email-binding and password-reset APIs that a regular user cannot touch directly. Because the assistant lacked any hard authentication gate before executing those actions, anyone who framed a request correctly could trigger them. The bot did exactly what it was designed to do. It was simply pointed at the wrong target.

What made this particularly dangerous is that the intermediary was a large language model. A deterministic system has hard-coded conditionals that require technical skill to bypass. A language model responds to natural language, which means the attack surface is the model's own comprehension. Manipulation requires words, not code.

Meta's Response and the "No Breach" Framing

Meta acknowledged the issue and pushed a patch Friday night, restricting the AI assistant's access to the API paths that had been exploited. In a public statement, the company said it had fixed an issue allowing external parties to request password reset emails for some users, and confirmed no backend systems were breached.

The "no breach" framing is technically accurate. No database was accessed through SQL injection or credential theft. However, security researchers were quick to note that the distinction offers little comfort to users who lost accounts worth hundreds of thousands of dollars. A logic flaw that enables account takeover at scale is a meaningful security failure, regardless of whether database rows were touched.

Reports also indicated a second exploit was already circulating on Telegram at the time of Meta's patch, this one involving Facebook recovery flows. Its status at time of publication remained unpatched.

A Warning the Industry Had Already Issued

This incident did not arrive without warning. OWASP's Top 10 for Large Language Model Applications, published in 2023, listed "excessive agency" as one of the primary risks of deploying AI agents: giving language models permissions that are too broad, particularly the ability to execute irreversible actions without a human confirmation step.

The tradeoff is not complicated. Human support agents are expensive. An AI that resolves the majority of account recovery tickets automatically is a significant operational saving. But the legitimate use case and the adversarial one share the same interface. Building a system that is convenient for real users while remaining resistant to manipulation requires friction, and friction costs money.

Meta is not the only company facing this tradeoff. Conversational AI is being deployed across customer support, identity verification, and account management at scale. The tooling for building these systems has advanced quickly. Security frameworks for auditing what AI agents are actually authorized to do, and how that authorization holds up under adversarial prompting, have not kept pace.

What Instagram Users Should Do Now

Meta says the specific vulnerability is patched. That does not mean Instagram account security risks have disappeared. A few steps are worth taking now:

• ‍Switch from SMS-based two-factor authentication to an authenticator app. SIM swapping remains a reliable attack against phone-number-based verification, and this incident demonstrated that even 2FA can be sidestepped when the recovery layer itself is compromised.‍
• Use a private email address for your Instagram account — one that does not appear on your public profiles or professional pages. The less information an attacker can pull from your public presence, the fewer details they can use to make a request look convincing.‍
• Generate a fresh set of backup recovery codes under your security settings and store them offline, in a password manager with a local vault or printed somewhere secure. If an attacker cycles your backup codes after a takeover, recovery options narrow quickly.
• Check your active login sessions periodically and terminate anything unfamiliar. If you receive an unexpected password reset email from Instagram, open the app directly rather than clicking any link in the email, and verify your linked contact details are still yours.

The Broader Question This Leaves Open

Meta's emergency patch addressed the specific API paths that were abused. It does not resolve the architectural question at the centre of this incident: should an AI assistant ever be capable of executing irreversible changes to account credentials without a hard, deterministic authentication checkpoint? Based on what played out over the weekend, the answer is clearly no.

The more pressing question is how many other platforms are currently running AI agents with similar privilege gaps, waiting for someone to find them. This attack required no advanced tooling and no technical background. It required knowing what to ask. That is a low bar, and there is little reason to assume Meta was uniquely careless in reaching it.