Hackers took control of Instagram accounts by requesting password resets through Meta's AI chatbot.

      Hackers manipulated Meta's AI support chatbot to add their email addresses to victims' Instagram accounts and reset passwords without needing access to the victims' emails. Over the weekend, these hackers successfully hijacked Instagram accounts by deceiving Meta’s AI-powered support bot. The attack did not require phishing links or malware; instead, the hacker simply instructed the chatbot to add a new email to someone else's account.

      A video shared on X outlined the procedure. The hacker utilized a VPN to mask his location, thereby circumventing Instagram's automated security measures. They initiated a conversation with the Meta AI Support Assistant and asked the bot to associate a new email address with the victim's account.

      The chatbot then sent a verification code to the hacker's email, which the hacker subsequently provided back to the bot. The chatbot responded by revealing a "Reset Password" button. The hacker set a new password, granting them access to the account.

      At no point was there a need for the hacker to gain access to the legitimate email tied to the victim's Instagram. TechCrunch confirmed that the verification code was received in the hacker's public email account shown in the video. This breach took advantage of a critical flaw: the AI chatbot assumed the identity of the individual it was interacting with without verifying their authenticity.

      The hacked accounts included the White House Instagram handle from the Obama administration, which had been dormant since 2017, and the account of US Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also reported her account was compromised.

      "The password was changed without my consent, and I received numerous password reset notifications yesterday," Wong expressed. "It’s quite troubling." Many users on Reddit and X reported similar account takeovers during that weekend.

      On Monday, Instagram spokesperson Andy Stone announced that the matter had been resolved. It remains unclear how many accounts were affected. Meta did not respond to TechCrunch's inquiry for comment.

      This incident exemplifies the risks associated with implementing AI chatbots that have account-level permissions. Customers of Salesforce’s Agentforce have hesitated to allow AI agents to undertake significant financial actions due to similar concerns. Analyst Rebecca Wettemann described the anxiety as “the AI running off in the middle of the night and refunding multiple transactions.” After granting the AI the capability to reset passwords, Meta’s system followed the instructions of the improperly authorized individual.

      The security landscape concerning AI agents is rapidly evolving, revealing vulnerabilities faster than companies can mitigate them. For instance, OpenClaw’s Claw Chain exploit utilized an agent's sandbox privileges, while the Instagram attack leveraged an AI support bot's account management capabilities. The common issue is that when an AI agent possesses the authority to act, the security of the system hinges on its ability to confirm the identity of the requester.

      The Meta AI Support Assistant was intended to lower human customer service costs, achieving that goal but inadvertently exposing a vulnerability that human support agents would not have allowed. A human agent would have authenticated the caller’s identity before adding a new email; the chatbot failed to do this.

      This marks the third major failure of AI deployment within a week. Starbucks discontinued its AI inventory system following nine months of inaccuracies, and Waymo's flood recall was unsuccessful in just two weeks. Meta’s AI chatbot inadvertently granted hackers access to Instagram accounts. The recurring pattern indicates that large-scale AI systems often fail in unforeseen ways, and these failures can have more significant implications than the efficiencies they were designed to provide.