Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

# cybersecurity# infosec# general
Hackers Used Meta’s AI Support Bot to Seize Instagram AccountsSecurity Cyber

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts This is one of those stories that...

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

This is one of those stories that deserves more than a headline skim. The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta’s “AI support assistant” bot into resetting account passwords. A screenshot from a video released on Telegram claiming to show how Meta’s AI customer support bot could be tricked into resetting a target’s password. On May 31, word began to...

The Details

Here is what we know: A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target’s usual hometown, requesting a password reset for the account, and then choosing to chat with Meta’s AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset..

The Telegram account that posted the video also linked to screenshots of pro-Iran images, videos and messages that defaced the hacked Instagram accounts, saying hackers had used the exploit to hijack a number of valuable (read: short) Instagram account names that allegedly have a resale value of more than a half million dollars..

And perhaps most importantly: Meta has not responded to requests for comment on the video’s claims, but Meta’s Andy Stone said on Twitter/X that the issue had been resolved and that they were securing impacted accounts. The security blog thecybersecguru.com reports that Meta pushed an emergency patch over the weekend, and clarified that no back end database was breached..

Why This Should Be On Your Radar

This matters because security is not a single-event problem -- it is a continuous process. Each new threat adds to the collective knowledge defenders need to stay ahead. Ignoring it does not make it go away.

What To Do

  1. Check whether your environment uses any of the affected components. 2. Brief your team or update your threat model accordingly. 3. Share this with your network -- the more defenders who know, the harder it is for attackers.

Full story: https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

What is your take? Are you affected? Drop your thoughts below.

More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber

Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.

Originally published at https://securitycyber.uk