Hackers tricked Meta AI bot to hijack 20,000 Instagram accounts

Hackers compromised around 20,000 Instagram accounts by tricking Meta’s AI-powered support chatbot into granting them access. The attack allowed them to change associated email addresses and reset passwords without ever controlling the victims’ legitimate emails. High-profile accounts including the Obama-era White House, the U.S. Space Force’s chief master sergeant John Bentivegna, and security researcher Jane Wong were among those taken over.

Attackers used VPNs and prompt injection on the support bot. The hackers employed a VPN to spoof the targets’ presumed locations and avoid triggering automated protections. They then opened a chat with Meta’s AI Support Assistant, requested to add a new email address, and provided a verification code sent by the bot to that new address. The chatbot subsequently displayed a “Reset Password” button, allowing the hackers to set a new password and seize control.

A video demonstrating the process circulated on X, and TechCrunch verified that the hacker’s public email mailbox received the verification code as shown. The exploit relied on the chatbot’s failure to verify the requester’s identity or require control of the original linked email. Researchers described it as a straightforward prompt injection attack that had reportedly been active since February.

Compromised accounts were resold on the gray market. Valuable Instagram accounts, including short handles @hey and @jowo, were targeted for resale. Their combined gray-market valuation was estimated above $1 million. Hackers held accounts briefly for clout, resale, or brand impersonation, with some posting pro-Iranian images and messages during the compromise.

Prominent researchers such as Jane Manchun Wong reported their accounts hacked, with Wong stating her password was changed without her knowledge and she received multiple reset attempts. Pseudonymous researcher ZachXBT posted that the Meta AI support had excessive permissions allowing password resets without 2FA and without identity verification. Dark Web Informer similarly described the exploit and noted it had been patched.

Meta deployed an emergency patch and confirmed the scale. Instagram implemented the fix on May 29. Spokesperson Andy Stone stated on May 31 that the issue was resolved. Meta later revealed that around 20,000 accounts were compromised and outlined steps taken in response, though specific additional measures were not detailed in initial reports.