Hackers asked Meta’s AI chatbot to hand over Instagram accounts, and it did

No phishing link. No malware. No SIM swap. Hackers took over high-profile Instagram accounts over the weekend by doing something disarmingly simple: they asked Meta’s AI customer support chatbot to change the email address on someone else’s account. The bot complied without verifying the requester’s identity, and the attacker then reset the password and locked out the rightful owner.

The technique, which was first reported by 404 Media, spread through Telegram channels where hackers shared the method and began advertising stolen handles for sale. Among the compromised accounts were the dormant Obama White House Instagram profile, which was used to post unauthorised AI-generated images, and the account of US Space Force chief master sergeant John Bentivegna.

Meta spokesperson Andy Stone said on Monday that “the issue that did happen has already been fixed.” But on Tuesday, more Instagram users reported losing access to their accounts, and members of the same Telegram channels claimed the exploit still worked, according to TechCrunch.

How the attack worked

The method exploited a flaw in Meta’s AI Support Assistant, which the company rolled out in March 2026 with the ability to “resolve account issues from start to finish,” including resetting passwords. The chatbot was designed to replace human support agents for routine account recovery tasks.

An attacker would identify a target account, typically a short “OG” username worth thousands on underground markets. They would use a VPN to spoof the target’s presumed location, open a chat with the AI support bot, and simply claim to be the account owner. The bot would then link the attacker’s email address to the target account without asking for any proof of ownership.

A human support agent would have verified the caller’s identity before making such a change. The chatbot did not. Two-factor authentication may have blocked some takeovers, but accounts without it enabled were vulnerable to compromise in minutes.

A grey market for stolen handles

For years, a flourishing underground market has existed for so-called OG usernames, the short, desirable handles claimed by Instagram’s earliest users. Previous methods of stealing them required technical sophistication: phishing the victim, bribing telecom insiders to perform SIM swaps, or compromising email accounts.

This attack lowered the barrier to entry dramatically. The hackers who shared the technique on Telegram were advertising apparently stolen handles for sale, including common forenames and country names that function as collectibles in this grey market. TechCrunch reported that the sales continued even after Meta’s announced fix.

Meta scrambles to notify victims

Meta has been sending password reset emails and security notifications to users whose accounts were targeted. Several victims reported receiving messages from Instagram warning that the company had “detected some suspicious activity that suggests your Instagram may have been compromised,” along with instructions to reset their passwords.

Stone told TechCrunch that Meta secured affected accounts on Monday before beginning its notification campaign. He declined to say how many users were compromised. Meta also disputed that the Obama White House account was taken over using this specific method, though it confirmed the account was hacked.

The cost of automating trust

The incident exposes a fundamental tension in deploying AI agents with real-world authority. Meta built its support chatbot to perform actions that previously required a human in the loop, but it shipped that capability without the verification checks that human agents would have applied as a matter of course.

It is a pattern the industry has seen before. When Instagram account recovery was handled by humans, the process was slow and often frustrating, but it at least required the requester to prove they were who they claimed to be. Automating that process without preserving the identity-verification step turned a bottleneck into a vulnerability.

The broader lesson is not that AI should never handle sensitive account operations, but that authentication remains a problem no chatbot can shortcut. Meta gave its AI the power to hand over the keys. The hackers simply walked up and asked for them.