A serious security incident over the weekend exposed a novel attack vector in AI-powered customer support systems: hackers successfully hijacked Instagram accounts by manipulating Meta's own AI support chatbot into granting them unauthorized access.
The attack was documented across Reddit and X (formerly Twitter) as multiple Instagram users reported losing access to their accounts in rapid succession. Among those affected was prominent security researcher Jane Wong, who posted publicly that her account's password had been changed without her knowledge, with multiple unauthorized password reset attempts flooding her inbox throughout the day.
A video circulated on X showing the step-by-step exploitation process. The attacker used a VPN to spoof their presumed geographic location, avoiding Instagram's automated fraud detection triggers. Critically, the hack never required taking over the legitimate email address linked to the victim's account — an unusual property that sets it apart from traditional credential-stuffing or phishing attacks.
TechCrunch independently verified one element of the attack: the hacker's public email mailbox, displayed in the video, was shown to receive verification codes that the chatbot had been tricked into generating. This confirmed that Meta's AI support system was actively participating in the unauthorized account takeover workflow.
By Monday, Instagram spokesperson Andy Stone confirmed the vulnerability had been patched. Meta did not disclose how many accounts were compromised during the exposure window, nor did it provide a detailed technical explanation of the underlying flaw in the AI system's verification logic.
The incident raises significant questions about the security of AI-powered support automation. Unlike traditional IVR systems with scripted decision trees, large language model-based chatbots can be prompted or manipulated through conversational social engineering — a form of what researchers call "prompt injection" in production systems.
Why It Matters
This attack illustrates a rapidly emerging class of security vulnerability: AI-assisted social engineering against AI support systems. As enterprises rush to deploy LLM-based customer service agents, this incident serves as a real-world warning that these systems require the same rigorous security threat modeling as any other access control surface. The fact that Meta's own AI became the attack vector — not merely a target — is a signal that organizations must implement strict guardrails and out-of-band verification requirements before any AI system is allowed to alter account credentials or access permissions.