Hackers gained control of Instagram accounts by requesting a password reset from Meta's AI chatbot.

      Hackers deceived Meta's AI support chatbot into adding their email to victims' Instagram accounts and resetting their passwords without needing access to the victims' emails. During the weekend, hackers were able to take over Instagram accounts by manipulating Meta’s AI support bot, with no reliance on phishing links or malware. The hacker simply instructed the chatbot to add a new email address to another person's account.

      A video posted on X detailed the entire process, showing how the hacker employed a VPN to mask their location, bypassing Instagram's automated protections. They then initiated a conversation with the Meta AI Support Assistant and requested a new email address for the target's account. The chatbot sent a verification code to the hacker’s email, which the hacker relayed back, enabling the bot to present a “Reset Password” option. The hacker created a new password and gained control of the account.

      Remarkably, the hacker did not need to access the email linked to the victim's Instagram account. TechCrunch confirmed that the verification code was received in the hacker's public email mailbox shown in the video. This attack exploited a crucial vulnerability: the AI chatbot assumed the identity of whoever it was communicating with, failing to verify their true identity.

      Among the compromised accounts were the Instagram handle of the Obama-era White House, which had been inactive since 2017, and that of US Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also had her account hijacked. She noted, “The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday. Quite concerning.” Many users on Reddit and X reported similar account takeovers during the same weekend.

      On Monday, Instagram spokesman Andy Stone stated that the issue had been resolved, although the total number of compromised accounts remains uncertain. Meta did not respond to TechCrunch's request for comment.

      This incident exemplifies the dangers of equipping AI chatbots with access to account-level permissions. Customers of Salesforce's Agentforce have been hesitant to allow AI agents to engage in significant financial transactions due to security concerns. Analyst Rebecca Wettemann remarked on the anxiety of “the AI running off in the middle of the night and refunding a bunch of transactions.” Meta's AI had the authority to reset passwords, which it executed as instructed, albeit for the wrong person.

      The landscape of AI agent security is evolving swiftly, introducing new types of vulnerabilities that companies struggle to manage. OpenClaw’s Claw Chain exploit took advantage of an agent's sandbox privileges, while the Instagram incident exploited the AI support bot’s account management capabilities. The common issue is that the security of the system hinges on the agent's ability to authenticate the individual requesting action.

      The Meta AI Support Assistant aimed to lower the cost of human customer service, achieving that goal while simultaneously creating a new vulnerability that human representatives would not have, as they would typically verify the caller's identity before altering an account. The chatbot failed to perform this verification.

      This marks the third notable AI deployment failure within a week. Starbucks abandoned its AI inventory system after nine months of inaccuracies, and Waymo's flood recall failed shortly after launch. Meta’s AI chatbot inadvertently handed over control of Instagram accounts to hackers. The recurring trend highlights that AI systems deployed at scale often fail unpredictably, leading to more significant consequences than the efficiencies they were intended to provide.