Instagram Account Takeovers Linked To Meta AI Support Flaw

Meta has fixed a flaw in an AI-powered Instagram support tool after hackers allegedly used it to take over high-profile accounts by changing the email address tied to targeted profiles.

The issue was first detailed by 404 Media, which reported that attackers could persuade Meta’s AI support chatbot to link a new email address to an Instagram account. After that change, the attacker could trigger a password reset and gain access.

Affected accounts reportedly included valuable short-handle usernames and public-facing profiles. Reuters reported that the incident involved high-profile Instagram accounts, including the dormant Obama White House account, Sephora, and a U.S. Space Force official.

How The Instagram AI Support Exploit Worked

The attack did not require a traditional database breach or stolen password. Reports describe a logic failure in an automated account support flow that gave the chatbot too much control over sensitive recovery steps.

According to The Verge, hackers used the support chatbot to request that a new email address be linked to a target account. Once the email was accepted, the attacker could receive a password reset message and move toward account takeover.

This made the issue different from ordinary phishing. The attacker did not need to convince the victim to reveal a password. The weak point sat in the recovery workflow, where an AI support tool allegedly acted on requests without enough identity checks.

Area	Reported detail	Why it matters
Affected service	Instagram account support and recovery workflow	Account recovery controls can decide who regains access
Reported method	Ask the AI support chatbot to link a new email address	Email control can allow password reset attempts
Targets	High-value usernames and prominent accounts	Stolen handles can carry resale value or public influence
Meta response	The company says the issue has been resolved	Users should still review account security settings

Meta Says The Issue Has Been Fixed

Meta said it resolved the issue and is working to secure affected accounts. A TechCrunch report said Instagram has also begun alerting users who were targeted during the attacks.

The company’s position is important because this was not described as a breach of Meta’s backend systems. Instead, reports point to an account recovery failure where an AI assistant allegedly performed sensitive actions without the right guardrails.

The case highlights a growing security problem for companies adding AI to customer support. A chatbot that can only answer questions carries limited risk. A chatbot that can change recovery details, send codes, or influence account ownership becomes part of the security boundary.

Why High-Value Instagram Accounts Were Targeted

Attackers focused on accounts with financial or reputational value. Short usernames, often called OG handles, can sell for large sums in underground markets because they are rare, memorable, and easy to resell.

404 Media reported that lists of high-value usernames circulated on Telegram. The same reporting described hackers sharing videos that allegedly showed the account recovery abuse in action.

🚨 Instagram had an exploit that allowed you to use Meta AI to reset passwords to accounts with no MFA on them. The exploit was patched a short time ago.pic.twitter.com/PEUwLvmllj

— Dark Web Informer (@DarkWebInformer) June 1, 2026

Institutional and celebrity-linked accounts carry a different risk. A takeover can spread scams, propaganda, or misleading posts to large audiences before the platform regains control.

• Short usernames may have resale value in underground markets.
• Verified or public-facing accounts can be used for impersonation.
• Brand accounts can damage customer trust if hijacked.
• Government-linked accounts can be used to spread false messages.
• Security researchers and public figures may face targeted attacks.

Two-Factor Authentication Still Matters

Reports indicate that accounts with stronger multi-factor protections were harder to compromise. Instagram’s own two-factor authentication guidance says 2FA adds a required code when someone tries to log in from an unrecognized device.

Users should prefer an authentication app over SMS where possible. SMS codes can still help, but they carry more risk if an attacker uses SIM-swapping or social engineering against a mobile carrier.

Instagram also recommends keeping account recovery details current. Meta’s account security guidance says users should update the phone number and email address tied to the account so they can recover access if something changes.

Security step	Recommended action
Two-factor authentication	Use an authentication app when available
Recovery email	Use a private email address not publicly tied to the account
Password	Use a unique password stored in a password manager
Login activity	Review active sessions and remove unknown devices
Backup codes	Store them offline or in a secure password manager

What Users Should Do Now

Users should review their Instagram login activity, confirm their recovery email and phone number, and turn on two-factor authentication. This matters most for public figures, creators, brands, journalists, and anyone with a valuable username.

Instagram’s hacked account help page gives recovery steps for users who think someone has taken over their account. Users who receive a warning from Instagram should follow the in-app recovery process rather than links from unknown messages or third-party accounts.

Meta’s Instagram safety guidance also reminds users that Instagram will not send direct messages asking for passwords. Official account-related messages appear in the app’s Emails from Instagram area.

Why AI Support Tools Need Stronger Controls

The Instagram incident shows why companies need strict limits around AI assistants that touch identity and recovery workflows. A chatbot should not be able to override the same controls that human support agents must follow.

Reuters reported that security experts viewed the case as a warning about automation without enough access controls. The issue also raised questions about whether AI support tools should be allowed to make account-level changes without human review.

We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.

You can ignore those emails — sorry for any confusion.

— Instagram (@instagram) January 11, 2026

The risk is not limited to Instagram. Many companies are adding AI to support portals, billing tools, developer platforms, and identity flows. If those tools can reset credentials or change recovery information, attackers will test them the same way they test human help desks.

• AI support tools should not change account ownership without strong verification.
• Sensitive account actions should require independent identity checks.
• High-value accounts should receive stronger recovery protections.
• Platforms should monitor support tools for prompt injection and abuse patterns.
• Users should secure the email account tied to Instagram, not just Instagram itself.

What This Means For Instagram Users

For most users, the main action is simple: turn on 2FA, lock down the recovery email, and check active sessions. The official Instagram 2FA page explains how to enable login codes and backup codes through account settings.

People who suspect compromise should start with Instagram’s account recovery help center. They should also secure the email account connected to Instagram, change reused passwords, and revoke access for unknown third-party apps.

The broader lesson is clear. AI support can speed up customer service, but it can also create new takeover paths when connected to account recovery. The Verge reported that Meta has resolved the issue, and TechCrunch reported that Instagram is notifying targeted users.

FAQ