Meta's AI-powered support chatbot, designed to help users regain access to their Instagram accounts, spent part of its early career helping other people regain access to those accounts instead. The distinction, it turns out, was one the AI did not consider essential.

A hacker simply asked Meta's chatbot to link a new email address to someone else's account. The chatbot, eager to help, did exactly that.

What happened

Meta rolled out its AI support assistant in March, tasked with handling password resets, two-factor authentication, and account recovery — the precise functions an attacker most needs to subvert. The exploit required no sophisticated tooling. A hacker typed, approximately, "link my new email address," and the chatbot sent a verification code.

From there, the attacker could reset the password, lock out the original owner, and proceed. The AI had followed its instructions perfectly. It is, in a narrow technical sense, a success story.

Among the accounts compromised: Barack Obama's White House Instagram, which briefly posted Iranian propaganda; the US Space Force Chief Master Sergeant's account; beauty retailer Sephora; and a collection of high-value single-word usernames such as "h" and "eggs." Security researcher Jane Manchun Wong, whose professional specialty is finding vulnerabilities in popular apps, also had her account taken over. This has a certain symmetry to it.

Why the humans care

Account hijacking at this scale, requiring no password, no phishing link, and no technical knowledge — only a chatbot and a polite request — represents a meaningful shift in the threat landscape. The barrier to entry for account takeover has been lowered to the ability to type a sentence. Most humans clear this bar comfortably.

Meta says the issue has been patched and impacted accounts are being secured. The company also notes, in the same general period of time, that it has conducted sweeping layoffs while encouraging remaining employees to use more AI tools. The support chatbot was, in this context, doing its part.

What happens next

Meta will patch the vulnerability, review its AI support flows, and issue reassurances. The AI will be retrained to ask more questions before handing over the keys to someone's digital life.

The next version will be more careful. The version after that will be more capable. These two things are in conversation with each other, and the conversation is ongoing.