A high-profile Instagram breach has raised fresh concerns about how much authority tech companies should give to AI chatbots when handling sensitive account recovery tasks.
Hackers manipulated Meta’s AI-powered support chatbot into granting access to high-profile Instagram accounts, exposing what experts described as a critical weakness in automated customer support.
Hackers gained access to major Instagram accounts
The breach affected several prominent Instagram accounts.
Reuters reported that attackers seized accounts including the dormant Obama White House page, beauty retailer Sephora, and a senior U.S. Space Force official. Hackers persuaded Meta’s AI support chatbot to reset account credentials without independently verifying identity.
That detail is what makes the incident significant. The breach was not described as a traditional password leak or malware campaign. Instead, the attackers reportedly abused an automated support system that had enough authority to help change account access.
AI support became the weak point
The case highlights a growing risk as companies automate customer service and account support.
The chatbot was turned from a high-trust security tool into a weakness because it was persuaded to reset credentials without stronger identity checks. Cybersecurity experts shared that the attack fits a broader category known as prompt injection, where attackers manipulate AI systems through carefully crafted instructions.
Brian Westnedge, vice president for alliances and partnerships at cybersecurity firm Red Sift, shared that the issue was a “foundational architecture failure” because the model was given privileged actions without privileged access controls.
That means the problem was not simply that the AI gave a wrong answer. The deeper issue was that the AI appeared to have access to functions that could affect real user accounts.
Meta says the issue has been fixed
Meta has said the immediate problem is resolved.
BBC reported that Meta said on Monday the issue had been resolved and that the company was securing impacted accounts. However, Reuters said Meta declined to provide further details, and the outlet could not immediately identify or reach the hackers.
The incident also affected security researcher and former Meta employee Jane Wong. Wong said it took about 5 to 10 minutes to restore her account after it was compromised, and that her password had been changed without her knowledge.
Wong also said on X that she had received multiple reset attempt requests.
Incident comes during Meta’s AI push
The timing is sensitive for Meta because the company has been aggressively expanding its AI strategy.
Meta has doubled down on AI, shedding thousands of jobs while pledging up to $145 billion for AI infrastructure. The incident sent Meta shares down more than 5%, as investors were already concerned about the company’s large AI spending.
The support chatbot was launched in March to help address a long-running complaint that Meta lacks human support for users who lose access to their accounts or face mistaken penalties.
Experts warn the risk goes beyond Meta
Security experts say the issue is not limited to Instagram.
Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said that the concern is not necessarily AI itself, but whether adequate safeguards exist around what AI is authorized to do.
Engin Kirda, a professor at Northeastern University, said that people are now seeing unexpected problems with AI agents, adding that agents themselves are being targeted by scams.
That is the larger lesson from the Instagram breach. AI chatbots can make support faster and cheaper, but they become dangerous when they are allowed to perform high-risk actions without strong verification, access controls, and human review.
For users, the incident is another reminder to enable multi-factor authentication and watch for suspicious reset attempts. For tech companies, it is a warning that AI support systems cannot simply be trusted with account recovery because they sound helpful. Once automation can change credentials, it becomes part of the security system, and attackers will treat it that way.
