The warning campaign is striking for one reason: it came after the company already said the underlying flaw had been closed. On Monday, June 1, Meta spokesperson Andy Stone said the problem "has already been fixed." By Tuesday, June 2, more Instagram users, including security researchers, reported that their accounts had been taken over anyway.
For ordinary Instagram users, the practical stake is immediate. The technique needed no phishing link, no malware, and no access to a victim's real email. It turned a customer-support feature into a one-step account-takeover tool, and the people most exposed are those who had not switched on two-factor authentication. If you received a Meta email about "suspicious activity" this week, your account was likely among those targeted, and the fastest protection available is a setting you can change yourself in minutes.
Hackers Reset Instagram Passwords by Asking Meta AI to Swap Account Emails
The method, captured in a video that TechCrunch reviewed and verified, was almost insultingly simple. An attacker first switched on a VPN to make the connection appear to come from near the target's usual location, which kept Instagram's automated location checks from flagging the session. The attacker then opened a chat with the Meta AI Support Assistant and asked it to attach a new, attacker-controlled email address to the victim's account.
From there the chatbot did the rest. It sent a verification code to the new email the attacker had just supplied, rather than to the address already on file. The attacker read that code back to the bot, which then displayed a "Reset Password" button. A new password was set, and the rightful owner was locked out. At no point was a Meta employee or contractor part of the conversation. According to TechCrunch's step-by-step account, the reporter confirmed that the attacker's mailbox shown in the video did receive the code.
Instructions for the trick spread quickly. As KrebsOnSecurity reported, a video circulated by pro-Iran hackers on Telegram on May 31 documented the full sequence, and screenshots soon appeared in cybersecurity and hacking channels where members traded the technique and bragged about results. Several hijacked profiles were briefly defaced with pro-Iranian images.
Meta AI Held Account-Recovery Power Without Verifying Who Was Asking
The vulnerability was not a coding bug in the traditional sense. It was a design decision about how much authority to hand an AI agent. Meta's support assistant was built to carry out account-recovery actions that previously required a human in the loop, such as relinking a lost email address and triggering a password reset. What it lacked was the step a human agent performs almost reflexively: binding the request to a verified identity before changing the contact details that control an account.
In security terms, the chatbot behaved like a "confused deputy." It held the privilege to modify account-recovery settings, and it treated whoever was chatting as the account's rightful owner. The single most consequential flaw was where the verification code went. Sending a one-time code to an attacker-supplied address, instead of to the address already registered on the account, removed the only checkpoint that would have stopped the takeover. The VPN geolocation step was just cover to keep automated heuristics quiet while the conversation played out.
That is the engineering tradeoff at the heart of this incident. Meta deployed an agent with the power to act, not merely to answer, and shipped that capability without an identity-binding gate around its most sensitive action. Once any chatbot can change settings or move money, a single well-phrased sentence becomes an attack tool. The same pattern is now appearing across the industry as companies wire language models into systems that take real-world actions.
👉 Read more:
Meta Launches AI-Powered Support Assistant for Facebook, Instagram to Fix Flawed System
Did Meta's Patch Stop Instagram Account Takeovers?
Not cleanly, according to the people watching it closely. Stone told TechCrunch that Meta secured affected accounts on Monday and then began sending password-reset emails, and in a later post said some users "may receive password reset notifications" while others may face security questions at login. The company declined to say how many accounts were compromised.
Yet the takeovers did not stop. Android Authority reported that members of one Telegram channel claimed Meta had only removed a support button from the app's interface, the "Get Support" entry point, while the Meta AI application programming interface endpoints behind it allegedly stayed reachable. By that account, skilled users simply moved to scripts and Telegram bots that talk to the same AI system directly. Hackers were still advertising stolen handles for sale at the time of TechCrunch's reporting.
This is the gap between a cosmetic fix and a structural one. Removing a button hides the front door; it does not change what the agent on the other side of the door is willing to do. Until the identity-verification step is enforced at the action layer, security researchers warn, the same prompt-based approach can be reached through other channels.
Two-Factor Authentication Blocked Original Trick, Then One Protected Account Fell
The strongest piece of self-defense, early on, was clear. KrebsOnSecurity reported that the original exploit failed against any account with multi-factor authentication enabled, and that even the weakest option Instagram offers, a one-time code sent by text message, would likely have blocked it. Accounts without that layer fell in minutes.
The picture grew murkier after Meta's announced fix. Reverse engineer Jane Manchun Wong reported that a secondary account with two-factor enabled was hijacked anyway, and that her primary account's password was changed again without her knowledge. Esther Crawford, a Meta director of product management and a former Twitter executive, said her own short Instagram handle was taken. Their accounts contradict any assumption that two-factor authentication is a guaranteed shield once attackers move to direct API access, though it remains the most effective protection most users can apply today.
Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, told KrebsOnSecurity that AI chatbots create a new attack surface and that such systems are as open to social engineering as human agents, eager to help and easy to persuade. He predicted more incidents of this kind as platforms hand recovery decisions to automated assistants.
Obama White House Handle and "OG" Username Market Among Targets
The named victims span government, retail, and the tech industry. The compromised accounts included the dormant Obama-era White House Instagram handle, inactive since 2017, although Meta disputed that this specific account was taken over through the chatbot method even as it confirmed the account was hacked. The account of U.S. Space Force chief master sergeant John Bentivegna was also hit, as were profiles tied to beauty retailer Sephora.
A large share of the damage targeted short, memorable usernames. TechCrunch reported that many hijacked handles were common forenames or country names that trade in a gray market for so-called "OG" usernames, resold almost as collectibles. For years, stealing those handles required phishing, phone-number takeovers, or bribing telecom insiders. Here the attackers just asked, and the chatbot complied.
The incident also lands against the backdrop of Meta's aggressive automation push. The company recently laid off roughly 8,000 employees and reassigned thousands more into AI roles, according to reporting cited by Android Authority, the same restructuring that critics argue thinned the human safety teams who once handled account recovery and abuse.
How Instagram Users Can Protect Accounts Now
The most useful action is also the simplest: turn on the strongest form of two-factor authentication your account supports, ideally an authenticator app or a passkey rather than a text-message code. While researchers have shown the post-fix attack reached at least one protected account, two-factor authentication still stopped the original technique cold and raises the cost of any takeover attempt.
Beyond that, treat any "suspicious activity" email from Instagram as a prompt to reset your password immediately, review the email and phone number listed under account settings, and remove any contact address you do not recognize. If you are locked out, use Instagram's official account-recovery flow rather than links sent to you, and be aware that recovery may take time given the volume of affected users.
👉 Read more:
Instagram Hackers Get Access to High-Profile Accounts Just By Asking Meta AI Chatbot
Frequently Asked Questions
How did hackers take over Instagram accounts using Meta AI?
Attackers opened a chat with Meta's AI support assistant and asked it to add an email address they controlled to a target account. The bot sent a verification code to that attacker email rather than the one on file, then offered a password reset, letting the attacker change the password and lock out the owner.
Did Meta fix the Instagram AI chatbot hack?
Meta said on June 1 that the issue was fixed and began securing accounts and emailing victims. However, users and researchers reported continued takeovers afterward, and some claimed the company only removed a support button while the underlying AI endpoints stayed reachable.
Does two-factor authentication protect against the Meta AI Instagram hack?
Two-factor authentication blocked the original version of the exploit, and even an SMS code would likely have stopped it. After Meta's fix, at least one account with two-factor enabled was still reported hijacked, so it raises the bar but is not a guarantee against direct API-based attacks.
What should I do if my Instagram account was hacked?
Reset your password immediately, enable the strongest two-factor option available, and check your account's listed email and phone number for unfamiliar entries. If you are locked out, use Instagram's official recovery process rather than any links sent to you directly.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
