A critical flaw in Meta’s AI Support Assistant allowed cybercriminals to hijack dozens of Instagram accounts, raising concerns about the security of AI-powered customer support.
What You Need to Know
Quick Summary: Key Facts
- What happened: Hackers exploited Meta’s AI customer support chatbot to hijack Instagram accounts
- When: 1st June 2026
- Who’s affected: High-profile accounts with valuable usernames (“OG handles”)
- How: Simple social engineering via AI chat—no coding required
- Status: Meta has patched the vulnerability, but users should secure accounts immediately
This is really insane that how attackers simply chatted with Meta’s AI chatbot and asked it to transfer account ownership—a vulnerability that security experts are calling a wake-up call for AI integration in sensitive systems.
Compromised Accounts:
- @hey – Estimated value: $50,000+
- @jowo – Premium short handle
- @korn – Brand-name account
- @obamawhitehouse – Dormant government account (since 2017)
Researchers estimate that over 100 high-value accounts were hijacked, with a combined gray-market value exceeding $1 million. Stolen handles were almost immediately listed for sale on Telegram channels.
One of the user Jane Wong tweet on X,
Even my Instagram account got hacked
The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday. And I got repeatedly logged out from the IG iOS app.
Meta spokeperson Andy tweet on X,
This issue has been resolved and we are securing impacted accounts.
How this Attack Happened: Step-by-Step Breakdown
Security researchers have identified the attack vector as a combination of AI prompt injection and excessive API permissions.
Here’s how attackers bypassed Instagram’s security:
A DarkWebInformer user a tweet a POC video on X account.
The “Just Ask” Exploit
- Initiated AI Chat: Attackers opened a conversation with Meta’s AI Support Assistant
- Social Engineering: Claimed to be the legitimate account owner who “lost access”
- Direct Request: Asked the AI to link a new email address to the target account
- API Execution: The AI, granted excessive permissions, complied without human verification
- Password Reset: Attacker received verification code at their email
- Account Takeover: Reset password, changed recovery codes, locked out legitimate owner
Bypassing Two-Factor Authentication (2FA)
Even more alarming, the exploit completely circumvented Instagram’s 2FA protections:
- No SMS interception needed
- Authenticator apps bypassed
- Selfie verification defeated using AI-generated deepfake videos
- Geographic alerts avoided via VPN location spoofing
Frequently Asked Questions (FAQ)
Q: Was Meta’s database hacked?
A: No. Meta confirmed that no backend systems were breached via traditional hacking methods. The vulnerability was a logic flaw in how the AI assistant processed account recovery requests.
Q: Can this happen to my account?
A: The specific vulnerability has been patched, but high-value accounts remain targets for other attack methods. Follow the security checklist above to protect yourself.
Q: Should I delete my Instagram account?
A: Not necessarily. However, you should:
- Enable all available security features
- Use strong, unique passwords
- Monitor account activity regularly
- Consider making your account private
Q: How do I know if my account was compromised?
A: Check for:
- Unexpected password reset emails
- Login alerts from unfamiliar locations
- Changes to your email or phone number
- Posts or messages you didn’t send
- Meta will notify affected users directly
Q: What is an “OG handle” and why is it valuable?
A: “OG” (original) handles are short, memorable usernames (often single words or 3-4 letters) registered in Instagram’s early days. They’re valuable because:
- They’re rare and can’t be recreated
- Brands pay premium prices for them
- Gray market value ranges from $1,000 to $500,000+
Q: Is AI customer support safe to use?
A: Use caution when:
- Requesting account recovery via AI chat
- Sharing sensitive information with chatbots
- Making irreversible changes through AI
- Best practice: Always request human verification for account changes.
