Meta has fixed a security vulnerability in Instagram that reportedly allowed hackers to take over user accounts by exploiting the company’s AI-powered support assistant. According to a report from TechCrunch, attackers were able to use Meta’s AI support chatbot to change the email address associated with targeted Instagram accounts and subsequently reset passwords, potentially bypassing protections such as two-factor authentication. Meta has confirmed that the issue has now been patched, though it remains unclear how many users were affected before the fix was rolled out.
Several users publicly reported losing access to their Instagram accounts. Security researcher Jane Wong said her account was taken over and that her password had been changed without her knowledge. According to TechCrunch, Wong also experienced multiple password reset attempts before losing access to the account. Additionally, the Instagram account associated with US Space Force Chief Master Sergeant John Bentivegna was also reportedly affected.
How the exploit worked
According to TechCrunch, attackers did not need access to the victim’s email account in order to take over an Instagram profile. The attacker would first use a VPN to make it appear as though they were logging in from the same location as the target. They would then initiate a conversation with Meta’s AI Support Assistant and request that a new email address be added to the victim’s Instagram account.
The report noted that the chatbot would send a verification code to the email address supplied by the attacker. After providing that code back to the chatbot, attackers were presented with a password reset option, allowing them to set a new password and gain control of the account.
The publication said it verified that the email address shown in the demonstration video successfully received the verification code used during the process.
AI support tool was introduced for account recovery
According to Engadget, the vulnerability involved the AI-powered support assistant that Meta introduced in December to help users recover access to locked Facebook and Instagram accounts more quickly.
The publication reported that security researchers found hackers could misuse the tool to take over accounts, even in cases where additional security measures such as two-factor authentication had been enabled.
Screenshots, videos, and instructions detailing the exploit reportedly circulated widely on Telegram over the weekend, allowing more attackers to replicate the method.
Location checks may have played a role
Neither Meta nor Instagram has publicly detailed the technical cause of the vulnerability. However, reports suggest the AI support system relied in part on a user’s physical location as a verification signal. Attackers used VPN services to make their location appear similar to that of the targeted account holder, potentially helping them bypass certain automated security checks.
Engadget noted that Meta had previously highlighted location recognition as one of the factors used by its account recovery systems to verify users.
Meta says the issue has been fixed
Meta has acknowledged the issue and says it has now been resolved.
Meta spokesperson Andy Stone confirmed on X that the vulnerability had been fixed. He also stated that the company is working to secure accounts that may have been impacted.
Meta has not disclosed how many Instagram accounts were affected, how long the vulnerability existed, or whether any additional safeguards have been introduced following the incident.
