Instagram is now alerting users who were targeted in a widespread hacking campaign that exploited Meta’s AI chatbot with surprisingly simple requests. The attacks continued even after Meta claimed the issue was fixed, raising serious questions about the security of AI-powered customer support systems.
The hacking technique was shockingly basic. Attackers simply told Meta’s AI support chatbot they owned a target’s Instagram account and asked the bot to link that account to an email address they controlled. The chatbot complied without human verification, allowing hackers to reset passwords and take full control of accounts.
Over the weekend, hackers targeted several high-profile Instagram accounts, including handles with short usernames that can be resold in the gray market for “OG handles.” According to reports, victims included accounts with common first names or country names, as well as the dormant Obama White House account and the U.S. Space Force’s chief master sergeant’s profile.
The attacks highlight a critical vulnerability in Meta’s March decision to implement AI automation for customer support. The company announced its AI-powered chatbot was “designed to resolve account issues from start to finish” with the ability to “reset your password securely.” This automation removed human oversight from sensitive account operations that previously required manual review.
Meta spokesperson Andy Stone initially said Monday that “the issue that did happen has already been fixed.” However, more Instagram users reported hacked accounts on Tuesday, and discussions in hacker Telegram channels suggested the exploit remained active. Stone later acknowledged on X that some users would receive password reset notifications and security questions when logging in.
The company has now begun sending security alerts to affected users. Victims are receiving emails from Instagram stating the platform “detected some suspicious activity that suggests your Instagram may have been compromised.” The messages confirm Meta took steps to secure accounts and request users reset their passwords.
This incident exposes the risks of automating critical security functions without proper safeguards. For years, stealing valuable Instagram usernames required sophisticated attacks like phishing, SIM swapping, or bribing telecom insiders. Now hackers accomplished the same goal by simply asking an AI chatbot nicely.
The scale of the breach remains unclear, as Meta declined to specify how many users were affected. Stone confirmed the company secured compromised accounts Monday before beginning the password reset process. However, evidence suggests the vulnerability may have persisted longer than Meta initially acknowledged.
This attack represents a new category of social engineering threat where criminals exploit AI systems’ tendency to be helpful without sufficient verification. As more companies deploy AI for customer service, the incident serves as a warning about implementing proper authentication controls before granting AI systems access to sensitive account functions.