How hackers used Meta’s own AI to break into Instagram accounts

#BREAKING: Obama White House’s Instagram account was compromised by Iranian hackers. pic.twitter.com/Pt9Ipu5IKN

— Insider Wire (@InsiderWire) June 1, 2026

The issue first came to light after hackers began sharing videos and screenshots on Telegram and other social media platforms showing how Meta’s AI support assistant could be manipulated into linking a target Instagram account to a new email address controlled by the attacker. Once the new email was attached, the chatbot would facilitate a password reset process, effectively allowing the attacker to seize control of the account.

The company began rolling out its AI-powered customer support assistant for Instagram and Facebook users in March as part of its broader push to automate routine account-management tasks. The chatbot was designed to help users recover accounts, troubleshoot login issues, manage security settings and resolve common support queries without requiring intervention from a human agent.

How did the hack work?

According to videos of the hack on social media, the attack was surprisingly simple. Attackers would start a conversation with Meta’s AI-powered support chatbot and claim that they wanted to update the email address associated with an Instagram account. They would provide the target username along with an email address under their control.

The chatbot would then send a verification code to the attacker’s email address rather than the legitimate account owner’s email. After the attacker entered the code into the chat, the AI assistant would provide a password reset option. Once the password was changed, control of the Instagram account effectively passed to the attacker. At no stage was the attacker required to prove ownership of the original account or gain access to the victim’s email inbox.

Hackers are also said to have used VPNs to make it appear as though they were logging in from locations close to the victim, potentially helping them bypass additional security checks.

This kind of hack is known as a ‘prompt injection’ attack, which, as the name suggests, is an exploit designed around getting AI systems to generate responses based on careful prompts that they are not technically authorised to.

What is a prompt injection attack?

A prompt injection attack is a technique in which an attacker manipulates an AI system by feeding it carefully crafted instructions that override or bypass its intended rules. Large language models such as chatbots rely on natural-language instructions to decide how to respond. If the system has access to sensitive functions—such as changing account settings, approving transactions or resetting passwords—an attacker may be able to trick it into performing actions that its designers never intended.

Unlike conventional cyberattacks that exploit software vulnerabilities through code, prompt injection attacks exploit the AI’s decision-making process through language.

Security researchers have repeatedly warned that prompt injection is one of the biggest unresolved challenges in AI security. The problem becomes particularly serious when AI models are connected to external tools and granted the ability to take actions on behalf of users. In Meta’s case, the chatbot appears to have trusted information supplied during a conversation without adequately verifying that the person making the request actually owned the Instagram account.

The cybersecurity blog CyberSec Guru described the incident as a classic “confused deputy” problem, a long-recognised security flaw where a system with elevated privileges is tricked into acting on behalf of an unauthorised party. In this case, the “deputy” was Meta’s AI support bot, which had the authority to modify account recovery information but failed to adequately verify the identity of the requester.