How Hackers Took Over Instagram Accounts by Talking to Meta's AI Assistant

Meta fixed a security flaw in its Instagram account recovery system that let hackers take over accounts by simply asking an AI chatbot to change the email address tied to those accounts. The vulnerability showed that conversational AI systems—the kind that talk like humans—can become a weak link in security when they are put in charge of sensitive account controls.

What the Hackers Did

The vulnerability lived in Meta's AI support assistant, a chatbot designed to help users recover access to their accounts. Attackers found a surprisingly simple way in: they could convince the AI to change which email address was connected to a target account.

The attack had several steps. First, hackers used a VPN—a tool that hides your location—to make it look like they were logging in from the same country as the person they were targeting. Then they started a normal password reset process for someone else's Instagram account. Here is where the problem appeared: when they talked to Meta's AI support chatbot, the system didn't properly check whether they actually owned that account. Attackers simply asked the AI to link a new email address to the target account, and it did.

According to 404 Media, the process was that straightforward. There was no strong verification to confirm the person asking actually had the right to make those changes.

When This Happened

The vulnerability first circulated among hackers on Telegram in late March. Security researchers and affected users later reported what was happening, and Meta patched the flaw after these reports became public. The company hasn't said exactly how much time passed between when they first heard about it and when they fixed it.

Why This Matters

This incident points to a real tension in how companies build AI systems. Traditional security systems use mathematical locks (cryptography) and multiple verification checks—for example, a password plus a code sent to your phone—to keep accounts safe. When companies add conversational AI to these processes, they are introducing a new kind of door that works with natural language instead of structured commands.

Think of it like this: a traditional security system is like a locked door with a very specific key. A conversational AI is more like having a guard at the door who can understand what you say and make decisions. That guard can be tricked if you know how to talk to them the right way.

The flaw suggests that Meta had woven its language models directly into the account recovery process without building in proper safeguards. The goal was likely to make account recovery feel more natural and easier for users—you could just chat with an assistant instead of following menus. But that convenience created an opening for attackers.

What This Tells Us About AI Security

As companies across banking, healthcare, and other sensitive industries start using AI chatbots to help customers, they face a new kind of security challenge. An attacker doesn't need to hack a computer system anymore; they just need to have a persuasive conversation with the right AI system.

The broader context here is that many companies are adding AI chatbots to handle customer support and sensitive operations without fully thinking through the new dangers this creates. Hackers can use prompt injection—a technique where they carefully word their requests to trick an AI into doing what they want—or they can use social engineering, the old art of talking their way past security.

Meta included reporting AI vulnerabilities in its bug bounty program, where it pays researchers who find security flaws. This incident shows that the program works, but it also shows that the security industry is still learning how to properly test and defend AI systems in these roles.

In my view, this is an early warning of a pattern we will see more often. As AI becomes more powerful and handles increasingly important tasks, this category of attack will become a real concern. When I watched my own kids navigate online services, I noticed how naturally they trusted what a helpful-sounding interface told them; that instinct works the same way whether you are talking to a human or an AI. Companies need to build security systems designed specifically for conversational AI, not just adapt their old security playbooks.

The fix Meta deployed likely added extra verification steps—the kind that require cryptographic proof or multi-factor authentication—before allowing changes to account credentials. But the broader lesson is that adding AI to sensitive processes requires more careful security thinking upfront, not just patching problems after attackers find them.

Meta has also started adding other safety features to its AI systems, like parental controls that let parents limit what AI chatbots younger children can talk to. This suggests the company is thinking more carefully about how its AI systems interact with users in ways that matter.