Meta’s AI Reset Instagram Passwords for Hackers Who Just Asked

Meta built an AI support assistant to handle the tedious work of account recovery, and over one weekend people discovered they could talk it into giving away accounts that were not theirs. By asking the chatbot to attach a new email address to a target’s Instagram account and then requesting a password reset, attackers seized profiles they had no business touching, including ones guarded by two-factor authentication. The tool meant to help users get back into a locked account became the fastest way to lock the real owner out.

The method was almost insultingly plain. An attacker first used a VPN to make their connection look like it came from the victim’s part of the world, because Meta’s support flow leaned on location as a trust signal. From there they opened a chat with the assistant and asked it to add an email address they controlled to the target account. The bot emailed a verification code to that new address, the attacker pasted the code back into the conversation, and the assistant answered by surfacing a Reset Password button. One new password later, the account changed hands.

What sets this apart from an ordinary hack is that nothing was actually broken into. There was no malware, no leaked database of credentials, no phishing page dressed up to look like a login screen. The platform’s own support tool did the work, following its instructions exactly as written. The attacker did not defeat Instagram’s security so much as ask it politely to step aside, and it did.

That sequence is what makes the incident matter to anyone with an Instagram login. Two-factor authentication, the protection security experts have urged people to switch on for a decade, did nothing here. The attacker never needed the victim’s password, their phone, or a code from an authenticator app, because the AI agent could reset the password on its own. When a support system can override every other lock on the door, the locks stop counting for much.

The accounts that drew the most attention were high-profile. Among them was the Instagram handle tied to the Obama-era White House, dormant since 2017, and the account of John Bentivegna, the chief master sergeant of the US Space Force. Security researcher Jane Wong, known for picking apart app code, watched her own account slip away. “The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” she wrote, describing being logged out again and again. Ordinary users reported the same experience, though Meta has not said how many were caught up in it.

The episode is less a flaw in a line of code than a question about what these agents are allowed to do. Meta widened its AI-powered support earlier this year, letting the assistant handle password resets and account problems that used to need a human or a rigid web form. Handing a conversational model authority over account recovery stripped out the friction for genuine users and, as it turned out, for everyone else too. A human agent might have hesitated at a stranger asking to change an account’s email. The bot simply followed the script it was given.

Meta says the hole is closed, but several things should temper any relief. The company has not disclosed how many accounts were taken over before the fix, which leaves victims without a clear sense of the damage. According to 404 Media, the technique had been trading hands on Telegram since March, meaning the door may have stood open for weeks before it surfaced in public. And the design underneath, trusting a location signal that a VPN can fake and an email loop the attacker fully controls, points to a verification model that was thin from the start.

Security researchers have warned for a while that AI agents wired into live systems open a new attack surface, one where the exploit is not malformed code but a convincing request. This is among the first large-scale cases to prove the point with everyday consumer accounts rather than a lab demonstration. The manipulation called for no technical skill at all. It called for knowing what to say, aimed at a system built to be helpful first and cautious second.

For now the practical advice is unglamorous. Anyone who noticed unexpected password-reset emails or sudden logouts over the weekend should check which email addresses and phone numbers are tied to their account and strip out anything they do not recognize. Two-factor authentication is still worth keeping switched on for the many attacks it does stop, even if it counted for nothing in this one.

Instagram spokesperson Andy Stone confirmed on Monday that the issue had been fixed and that the company was securing affected accounts. What Meta has not addressed is the larger design question its own rollout raised this spring, namely how much authority an automated agent should hold over the accounts of billions of people, and what keeps the next conversation from ending the same way.

Tags: Cybersecurity, meta, AI security, account takeover