Meta’s AI-powered support chatbot spent the weekend handing strangers control of other people’s Instagram accounts. The attack required no technical sophistication. Hackers simply told the Meta AI chatbot that they owned a target account and asked it to link the account to an email address they controlled. The chatbot complied. It then allowed the attacker to reset the target’s password and take over the account, in some cases locking the original owner out entirely. At no point were Meta employees or contractors involved. On Monday, Meta spokesperson Andy Stone said the issue had been fixed. On Tuesday, more Instagram users reported their accounts had been taken over. Meta then began sending password reset notifications to affected users and started alerting victims of suspicious activity.
The mechanics of the attack are worth spelling out precisely because they are not subtle. Meta announced in March that its AI-powered customer support chatbot had the ability to reset passwords securely and resolve account issues from start to finish, without human involvement. That design decision – giving an AI chatbot the ability to perform account-takeover-equivalent actions based on user claims with no additional verification – is what made the entire class of attack possible. Discussions in a Telegram channel that popularized the technique showed hackers actively advertising apparently stolen handles for sale, including at the time of reporting. The accounts targeted included those with short, high-value usernames – common forenames, country names – which command premium prices in a gray market for so-called “OG handles” that has existed on and around Instagram for years. That market context and its connection to Meta’s AI rollout is what NewsTrackerToday took apart as the enabling condition the attack exposed.
Sophie Leclerc, who covers the technology sector, identifies the architecture problem directly: “Meta built a support chatbot that could take account-control actions based entirely on self-reported identity claims. That is a fundamental design choice, not a configuration error. You don’t fix it by patching a prompt. You fix it by requiring out-of-band verification for any action that materially changes who controls an account, which is a different product architecture. The fact that accounts kept getting compromised after the fix was announced suggests the patch addressed the specific technique being publicized rather than the underlying permission model. That’s a meaningful distinction, and it matters for how quickly attackers find the next variant.”
Meta said it secured affected accounts on Monday and began sending password reset emails. Stone would not say how many accounts were taken over. Victims publicly shared Instagram emails warning that the company had detected suspicious activity suggesting the account may have been compromised, along with instructions to reset passwords. The email confirmation is the clearest acknowledgment that the incident affected real accounts at scale, and the absence of a total count from Meta is what NewsTrackerToday noted as the gap between the company’s public messaging and what affected users deserve to know.
Ethan Cole reads the platform accountability question concisely: “AI chatbot gets deployed with account-takeover permissions. No verification layer. Hackers find it in under 24 hours. Company says it’s fixed. More accounts get taken. Company starts sending notifications. The sequence is not a surprise. It’s what happens when you automate consequential actions without adversarial testing.” The OG handles market has existed since Instagram’s early years, previously requiring attackers to phish victims, take over their phone numbers, or bribe telecom insiders to steal valued usernames. That effort level meant the attack surface was narrow. Meta’s AI chatbot eliminated the friction entirely. The resulting attack required nothing more than typing a request, which is what NewsTrackerToday zeroed in on as the structural change this incident represents in the economics of account theft.
The uncomfortable conclusion this week forces is not that AI support chatbots are inherently dangerous. The conclusion is that Meta deployed one with the ability to modify account ownership and access credentials, without apparently asking what happens when someone lies to it. The chatbot did not fail. It did exactly what it was designed to do: respond to user requests and resolve account issues from start to finish. The design itself was the vulnerability. And what News Tracker Today connects to the broader pattern of AI deployment at scale is the question the OG handle market already answered: every new authentication surface with insufficient verification becomes an attack surface faster than the company deploying it expects.
