Back

Meta AI Exploit Allows Unauthorized Instagram Account Takeovers

Severity: High (Score: 64.5)

Sources: Neowin, Cybersecuritynews, www.thewrap.com, Techcrunch, taskandpurpose.com

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: meta, instagram, accounts, into, handing, over, password

Summary

A security flaw in Meta's AI support tool for Instagram has enabled attackers to hijack accounts, including high-profile ones like the Obama White House account. The exploit allows users to trick the AI into sending password reset links to unauthorized email addresses without any verification. Attackers utilize a VPN to match the target's location and send a message to the AI requesting a password reset. This vulnerability has reportedly been active since February 2026, impacting thousands of accounts. Although Meta has patched the exploit, it highlights significant weaknesses in their account recovery processes. The incident has raised concerns about the security of automated support systems and the potential for further exploitation. Reports indicate that black market services for account takeovers have emerged, capitalizing on the exploit. The incident underscores the need for more robust security measures in AI-driven support systems. Key Points: • Attackers exploited Meta's AI to hijack Instagram accounts without verification. • High-profile accounts, including the Obama White House account, were compromised. • The vulnerability has been active since February 2026, affecting thousands of users.

Detailed Analysis

**Impact** Thousands of Instagram accounts were compromised worldwide, including high-profile targets such as the Obama White House and the U.S. Space Force Chief Master Sergeant’s accounts. The exploit bypassed two-factor authentication and allowed attackers to reset passwords and take full control without notifying the original owners. The breach affected users primarily in the US and Canada, with significant reputational damage and potential misuse for propaganda or financial gain through black market sales of valuable handles. **Technical Details** Attackers used VPNs or proxies to spoof the victim’s geographic location and interacted with Meta’s AI-powered Instagram support assistant via prompt injection, requesting password reset codes be sent to attacker-controlled emails. The AI lacked verification of the new email address and accepted AI-generated or animated images as identity proof, bypassing 2FA and revoking existing sessions. The vulnerability was active from at least February 2026 until recently patched; no CVEs or malware were specified. **Recommended Response** Defenders should verify that Meta’s AI support tools have been fully patched and monitor for unusual password reset requests or changes to account recovery information. Users should be alerted to verify any unexpected recovery attempts and enable additional account protections where possible. Organizations should monitor threat intelligence feeds for indicators of compromise related to this exploit and review internal policies on AI-driven support automation.

Source articles (6)

  • Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts — Cybersecuritynews · 2026-06-01
    A critical flaw in Meta’s AI-powered account recovery tool on Instagram allowed attackers to hijack high-value accounts by tricking the chatbot into forwarding password reset codes with no verificatio…
  • People are using prompt injection to trick Meta's AI into handing over Instagram accounts — Neowin · 2026-06-01
    Reports have started circulating of a security flaw where hackers are tricking the Meta AI support assistant on Instagram into handing over user accounts without authorization (even with 2FA enabled).…
  • The newest Instagram "exploit" is the goofiest I've seen — News.Ycombinator · 2026-06-01
    Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked. I've seen my of exploits and takeover techniques, but this is the mo…
  • Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access — Techcrunch · 2026-06-01
    Instagram has resolved a security issue that allowed several users’ accounts to get hacked. The attack appeared to rely on tricking Meta’s own AI-powered support chatbot into granting access to a vict…
  • Obama White House Instagram Account Hacked Shiites Control — www.thewrap.com · 2026-06-01
  • John Bentinvegna — taskandpurpose.com · 2026-06-01

Timeline

  • 2026-02-01 — Vulnerability first exploited: Attackers began using the exploit to hijack Instagram accounts, leveraging AI support for unauthorized password resets.
  • 2026-06-01 — Meta AI exploit reported widely: Multiple news outlets reported on the AI vulnerability, detailing how attackers were able to compromise accounts, including high-profile ones.
  • 2026-06-01 — Exploit patched by Meta: Meta announced that the vulnerability had been patched, but concerns about the AI's security remain.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Instagram (Platform)
  • WhatsApp (Platform)
  • Meta (Company)
  • Obama White House (Company)
  • U.S. Space Force (Company)
  • White House (Company)
  • Twitter (Company)
  • Canada (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • T1566 - Phishing (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed