Hackers used Meta’s AI chatbot to steal 20,000 Instagram accounts by asking the support bot to change account email addresses.

The exploit required no technical skills: attackers simply typed natural language requests into Meta’s AI support assistant and it complied.

How Hackers Used the Meta AI Chatbot to Steal Instagram Accounts

Hacker using a laptop to access social media accounts through an AI chatbot exploit

The attack worked by opening a chat with Meta’s AI Support Assistant and asking it to add a new email address to the target’s account.

The chatbot sent a verification code to the hacker’s email address and, after sharing that code, displayed a button to reset the password.

Hackers used a VPN to spoof the target’s presumed location, making the request appear more legitimate to the AI support system.

Per TechCrunch reporting, Meta says approximately 34,000 accounts were targeted and 20,000 were successfully breached in the campaign.

High-profile victims included the Barack Obama White House archive account, the Chief Master Sergeant of Space Force, and Sephora’s brand page.

What Data Was Exposed in the Instagram AI Chatbot Hack?

Breached accounts exposed personal information including email addresses, phone numbers, and date of birth data stored in Meta’s systems.

Attackers gained full account control, enabling them to post content, message followers, and lock out the original account owner permanently.

Meta confirmed it is alerting affected users by sending notifications to the email or phone numbers linked to compromised accounts.

The company has not disclosed whether any financial or payment data was exposed through the breached accounts during the attack window.

Per 404 Media investigation, victims report no way to escalate their compromised account to a human reviewer inside Meta’s support system.

Why AI Customer Support Systems Are a Cybersecurity Risk

This attack demonstrates the extreme risk of replacing human support agents with AI chatbots that have the ability to modify accounts.

Traditional support required identity verification before making account changes; AI chatbots appear to have had weaker verification gates.

The exploit required no special technical knowledge, making it scalable to any attacker with a VPN and a few minutes to type requests.

As Signal’s Meredith Whittaker warned in our earlier coverage of AI chatbot security risks, AI support systems can create unexpected access vulnerabilities.

Read more in our full analysis of AI cybersecurity threats and how attackers are now targeting AI systems themselves rather than traditional software.

How to Protect Your Instagram Account From AI Support Exploits

Digital security visualization showing two-factor authentication and account protection layers

Enable two-factor authentication using an authenticator app, not SMS, as SIM-swap attacks can undermine SMS-based codes.

Check your account’s linked email and phone number regularly in Settings to detect unauthorized changes before they lead to a lockout.

Use a unique, strong password for your Instagram account that is not reused on any other service or platform.

If you receive an unexpected verification code by email, do not share it with anyone and immediately change your account password.

Meta has not announced structural changes to its AI support chatbot’s account-modification capabilities following the disclosure of this exploit.

Related Articles

Enjoyed this?

Trust Post Desk

A journalist and editor at TrustPost.org covering world and national news, technology updates and human-interest stories. They check every fact, interview sources in person or online, and aim to deliver clear, accurate reporting. Their work ranges from breaking news to in-depth features and daily newsletters. Outside the newsroom, they follow emerging trends and engage with readers on social media.