Meta’s AI chatbot breach exposes security flaws, impacts high-profile accounts
Hackers used simple prompts to trick Meta's Instagram AI support bot into handing over account access, bypassing two-factor authentication entirely.
Share
Add us on Google by Editorial Team Jun. 3, 2026Turns out, all you needed to hijack a high-profile Instagram account was a VPN and a polite request to a chatbot. Hackers exploited a vulnerability in Meta’s AI-driven Instagram support bot to take over accounts belonging to former President Barack Obama’s White House page, beauty retailer Sephora, and US Space Force Chief Master Sergeant John Bentivegna, among others.
The attack vector was disarmingly simple. Attackers instructed the AI chatbot to change the email addresses linked to target accounts, effectively locking out the real owners and handing the keys to whoever asked nicely enough. Two-factor authentication, the security measure that’s supposed to be the deadbolt on your digital front door, didn’t stop them.
How the attack worked
The exploit falls into a category security researchers call a “confused deputy” flaw. In English: the AI chatbot had legitimate authority to make account changes, but it couldn’t tell the difference between an authorized request and a malicious one.
AdvertisementAttackers used VPNs to spoof the geographic locations of their targets before initiating recovery chats with Meta’s AI support system. Once the bot believed it was talking to the account owner, a simple prompt requesting an email change was all it took.
The Barack Obama White House Instagram page, which had been dormant, was temporarily repurposed to post pro-Iranian content.
Meta patched the vulnerability between May 29 and June 1, 2026, following reports and video demonstrations of the exploit circulating online.
The bigger picture for AI security
The core problem here is one that every AI deployment faces: authorization versus authentication. Meta’s chatbot had the authority to execute account changes but lacked robust mechanisms to authenticate who was actually making the request.
The breach didn’t require the attackers to break the AI. They didn’t need to jailbreak it or craft adversarial prompts that tricked it into ignoring its safety training. They just used it as intended, except with bad intentions. The bot was designed to help users recover accounts. It did exactly that. It just couldn’t tell the good guys from the bad guys.
Bolting an AI chatbot onto account recovery without building in verification layers that match the sensitivity of the actions being performed is an architectural failure, not an AI failure.
What this means for investors
The breach also raises questions about the broader AI investment thesis. Meta and its peers have poured billions into AI development, and much of the current market enthusiasm rests on the assumption that these systems can be deployed safely at scale. When a flagship AI feature from one of the world’s largest tech companies gets compromised by what amounts to social engineering with extra steps, that assumption deserves scrutiny.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
