Meta has fixed a security issue that allowed hackers to hijack some Instagram accounts by manipulating the company’s AI-powered support chatbot, according to reports published between June 1 and June 4, 2026.
The reported method was blunt: attackers asked Meta’s support assistant to add a new email address to a target Instagram account, received a verification code at an address they controlled, then used that flow to reset the account password. Meta spokesperson Andy Stone said the issue was fixed on June 1.
The compromised accounts reportedly included the Instagram handle for the Obama-era White House archive, which had appeared inactive since 2017, and the account of U.S. Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also said her Instagram account was taken over after password changes and reset attempts she did not initiate.
What reportedly happened
According to the reports, users on Reddit and X began warning over the weekend that Instagram accounts had been compromised. A video posted on X appeared to show a step-by-step account takeover using Meta’s AI Support Assistant.
In that demonstration, the attacker allegedly used a VPN to make their location look closer to the presumed location of the target account. That detail matters because account-protection systems often use signals such as device, geography, login history, and behavior patterns to decide whether a request looks suspicious.
The attacker then opened a support chat and asked the chatbot to add a new email address to the target account. The bot sent a verification code to the attacker-controlled email address. Once the attacker supplied that code back to the assistant, the flow exposed a password reset option. A new password could then be set, giving the attacker control of the account.
TechCrunch reported that it was able to verify the public email inbox shown in the video had received the verification code.
Why the weak point was not just “AI”
The important lesson is not simply that an AI chatbot made a mistake. The deeper problem is that the chatbot appears to have been connected to an account-recovery action that should require strong proof of account ownership.
Support automation becomes risky when it can change identity anchors: email addresses, phone numbers, passwords, recovery methods, or login approvals. Those are not normal help-desk conveniences. They are the keys that determine who controls an account.
In older support systems, attackers often tried to socially engineer human agents. The pitch might be emotional, urgent, or filled with plausible personal details. AI support changes the shape of that risk. Instead of persuading one employee, attackers can test prompts, retry flows, and look for the exact wording that causes an automated system to perform a sensitive action.
That does not mean AI support is unusable. It means the chatbot should not be treated as the final authority for account ownership. For high-risk changes, the assistant can collect context, explain next steps, or route a case, but the actual change should depend on independent verification that the requester controls the original account or its established recovery channels.
A practical example
Imagine a small business whose Instagram account is used for bookings, product launches, and customer messages. If an attacker can convince support automation to add a new email address, the attacker does not need to crack the owner’s password. They can move the account’s recovery path first, then reset the password afterward.
For the business, the damage is immediate. Customers may see scam posts. Direct messages may be exposed. The owner may lose access during a sales campaign. Even if the account is restored, trust has already been damaged because followers cannot easily tell whether a post, message, or link came from the real operator.
That is why account recovery is one of the most sensitive parts of a consumer platform. It is also one of the hardest to automate cleanly. Real users do lose phones, forget passwords, change emails, and get locked out. Platforms need recovery flows that help them. But attackers live in those same recovery flows because they are designed to bypass the normal login path.
What this says about AI support rollouts
Meta rolled out its AI assistant earlier in 2026, and the Instagram incident shows how quickly customer-support automation can become part of a platform’s security boundary. Once a chatbot can trigger real account changes, it is no longer just a front-end support feature. It is part of the access-control system.
That raises the bar for testing. Security teams need to evaluate not only whether the model answers correctly, but whether the surrounding workflow blocks dangerous outcomes. The safest chatbot response is not enough if the next button in the flow lets the wrong person reset an account.
For platforms, the practical implications are narrow but serious:
- Email changes should be treated as high-risk actions, especially when they precede a password reset.
- Verification should rely on existing trusted channels, not only on a new address supplied during a support conversation.
- Automated support should have stricter limits for notable, inactive, or high-profile accounts, where takeover attempts can cause public confusion.
- Security testing should include prompt-driven abuse, not just traditional login and password-reset attacks.
The reported victims also show why inactive accounts are not harmless. An archived government account or a dormant public-facing handle can still carry credibility. If it is taken over, followers may assume the account still represents the institution or person associated with it.
What to watch next
Meta says the issue has been patched, so the immediate question is less whether this exact method still works and more whether similar support flows exist elsewhere. Large platforms are racing to use AI assistants for account help because support at social-network scale is expensive and frustrating. The pressure to automate is real.
The next test is whether those systems are designed with hard boundaries around identity changes. A chatbot that can answer account questions is one thing. A chatbot that can alter recovery credentials is another.
For Instagram users, the incident is a reminder to keep recovery information current, enable stronger account protections where available, and watch for unexpected password-reset emails or account-change notices. Those steps cannot fix a platform-side flaw, but they can make suspicious changes easier to notice quickly.
For companies building AI support, the lesson is sharper: customer-service convenience should not silently weaken account ownership. The moment an assistant can touch recovery credentials, it needs the same security scrutiny as the login system itself.