Hackers took control of Instagram accounts by requesting password resets from Meta's AI chatbot.

      TL;DR Hackers deceived Meta’s AI support chatbot into adding their email to victims' Instagram accounts and resetting passwords without needing access to the victims' emails.

      Over the weekend, hackers breached Instagram accounts by manipulating Meta’s AI-powered support chatbot. This attack did not require email access from the victims, nor did it involve phishing or malware. The hacker simply instructed the chatbot to add a new email address to an account.

      A video shared on X detailed the process. The hacker used a VPN to disguise their location, evading Instagram’s automated safeguards. They then initiated a chat with the Meta AI Support Assistant and requested the addition of a new email to the targeted account.

      The chatbot dispatched a verification code to the hacker’s email, which the hacker relayed back to the bot. Following this, the chatbot presented a “Reset Password” button. The hacker entered a new password and gained control of the account.

      Notably, no access to the actual email address linked to the victim’s account was needed by the hacker. TechCrunch confirmed that the hacker’s public email, shown in the video, received the verification code. This incident exploited a critical flaw: the AI chatbot accepted the identity of the user it interacted with as the account owner without authenticating it.

      The affected accounts included the White House Instagram handle from the Obama era, inactive since 2017, and the account of US Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong reported that her account was also hijacked.

      “The password was changed without my consent, and I received numerous password reset notifications yesterday,” Wong said. “It’s quite alarming.” Multiple users on Reddit and X reported similar account takeovers that same weekend.

      Instagram spokesperson Andy Stone stated on Monday that the issue has been resolved. It remains uncertain how many accounts were compromised. Meta did not provide a comment to TechCrunch.

      This attack exemplifies the dangers of employing AI chatbots with account-level permissions. Customers of Salesforce’s Agentforce have hesitated to allow AI agents to perform significant financial actions due to this very risk. Analyst Rebecca Wettemann noted the concern as "the AI running off in the middle of the night and refunding a bunch of transactions." Meta allowed its AI to reset passwords, which it executed as instructed, but for the wrong individual.

      The security landscape for AI agents is generating new vulnerabilities faster than companies can manage them. The Claw Chain exploit from OpenClaw leveraged an agent’s sandbox privileges, while this Instagram attack exploited the privileges associated with an AI support bot’s account management. The common issue here is that the security of the system hinges on whether the AI can authenticate the requestor's identity before acting.

      The Meta AI Support Assistant was intended to lower the cost of human customer service, achieving that goal but simultaneously creating vulnerabilities that human support representatives wouldn't have. A human agent would have verified the caller's identity before updating an account's email, something the chatbot failed to do.

      This marks the third significant AI deployment failure in just one week. Starbucks abandoned its AI inventory system after several months of inaccuracies, and Waymo's recent recall failed within two weeks. The issue with Meta’s AI chatbot granting hackers access to Instagram accounts mirrors a troubling trend: AI systems implemented at scale often fail in unforeseen ways, with consequences that outweigh the efficiencies they were designed to provide.