Hackers Exploit Meta AI to Hijack Instagram Accounts

Multiple outlets report that attackers used a prompt-injection style trick against Meta's AI support assistant to gain control of several Instagram accounts, including the account for the Obama White House and the Instagram profile of the U.S. Space Force chief master sergeant, according to reporting by KrebsOnSecurity, TechCrunch, Ars Technica, PCMag, and Engadget.

Videos and screenshots circulated on Telegram show an attacker using a VPN to present an IP address near the target's presumed location, initiating a password reset, and then opening a chat with the AI support assistant; the attacker typed a request to have the account's email changed to an attacker-controlled address, after which the assistant allegedly sent an 8-digit verification code to that attacker email, enabling a password reset, per TechCrunch and PCMag.

TechCrunch verified that the attacker mailbox displayed in the video indeed received the reset code, and Ars Technica and 404 Media report the exploit was publicly discussed on Telegram and may have been active since earlier in the year.

Meta's public response on X was quoted by several outlets: Andy Stone, Meta VP of Communications, wrote, "This issue has been resolved and we are securing impacted accounts," per TechCrunch and Engadget.

This incident highlights two generic risks that appear across conversational-support deployments. First, when an AI agent is granted direct control over account-recovery workflows, prompt-injection techniques can be used to escalate privileges if conversational context or intent validation is weak. Second, reliance on coarse geolocation signals (for example, IP-region heuristics) can be circumvented using VPNs; sources describing the attack flow note VPN use to approximate a target region, which reduced false-positive triggers in the reported demonstrations. These are industry-pattern observations, not assertions about Meta's internal engineering choices.

Industry reporting frames this as a noteworthy case because it involves widely used consumer accounts and an AI agent that automates high-risk actions. Observed compromises of short-handle or high-value Instagram names, which outlets say are resold on gray markets, increase financial incentives for attackers, according to KrebsOnSecurity. For practitioners, the episode underscores that integrating LLM-driven assistants into safety-critical flows materially changes the attack surface: conversational inputs become an attack vector and automation reduces the number of manual checks between request and action.

• •Monitor vendor advisories and changelogs for any account-recovery or support-bot privilege reductions; several outlets say Meta applied an emergency patch; Ars Technica reports it was implemented on May 29.
• •Watch security-research posts and Telegram channels for additional proof-of-concept materials and claims of scope; multiple reports reference Telegram posts and videos.
• •Check for broader industry guidance or regulator attention on AI agents that execute state-changing operations, since this case ties conversational AI to direct account control.

Editorial analysis: Companies deploying AI assistants into support workflows commonly confront choices about scope limiting, intent validation, and audit trails. Implementing stringent verification gating before any agent-initiated credential changes, logging human-review triggers for sensitive flows, and treating conversational inputs as adversarial can reduce exposure. These comments are framed as industry best-practice considerations and do not describe the internal posture of the companies involved.