{"id":731315,"date":"2026-06-04T06:35:13","date_gmt":"2026-06-04T03:35:13","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/"},"modified":"2026-06-04T06:35:13","modified_gmt":"2026-06-04T03:35:13","slug":"hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/","title":{"rendered":"Hackers asked Meta\u2019s AI chatbot to hand over Instagram accounts, and it did"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3d6b305d18f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3d6b305d18f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/#How_the_attack_worked\" >How the attack worked<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/#A_grey_market_for_stolen_handles\" >A grey market for stolen handles<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/#Meta_scrambles_to_notify_victims\" >Meta scrambles to notify victims<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\/#The_cost_of_automating_trust\" >The cost of automating trust<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"article-main-content\">\n<p><em><\/p>\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Hackers hijacked high-profile Instagram accounts by asking Meta\u2019s AI support chatbot to change account email addresses without identity verification. Meta says the flaw is fixed, but attacks reportedly continued after the company\u2019s announcement.<\/p>\n<\/div>\n<p><\/em><\/p>\n<p>No phishing link. No malware. No SIM swap.\u00a0Hackers took over high-profile Instagram accounts\u00a0over the weekend by doing something disarmingly simple: they asked Meta\u2019s AI customer support chatbot to change the email address on someone else\u2019s account. The bot complied without verifying the requester\u2019s identity, and the attacker then reset the password and locked out the rightful owner.<\/p>\n<p>The technique, which was\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.404media.co\/hackers-simply-asked-meta-ai-to-give-them-access-to-high-profile-instagram-accounts-it-worked\/\" target=\"_blank\" rel=\"nofollow noopener\">first reported by 404 Media<\/a>, spread through Telegram channels where hackers shared the method and began advertising stolen handles for sale. Among the compromised accounts were the dormant\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.tmz.com\/2026\/05\/31\/obama-white-house-hacked-on-instagram\/\" target=\"_blank\" rel=\"nofollow noopener\">Obama White House Instagram profile<\/a>, which was used to post unauthorised AI-generated images, and the account of US Space Force chief master sergeant\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/taskandpurpose.com\/culture\/space-force-bentivegna-instagram-hacked\/\" target=\"_blank\" rel=\"nofollow noopener\">John Bentivegna<\/a>.<\/p>\n<p>Meta spokesperson Andy Stone\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/andymstone\/status\/2061489833441145103\" target=\"_blank\" rel=\"nofollow noopener\">said on Monday<\/a>\u00a0that \u201cthe issue that did h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>en has already been fixed.\u201d But on Tuesday, more Instagram users reported losing access to their accounts, and members of the same Telegram channels\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/techcrunch.com\/2026\/06\/03\/instagram-is-alerting-users-who-were-targeted-by-hackers-during-ai-chatbot-attacks\/\" target=\"_blank\" rel=\"nofollow noopener\">claimed the exploit still worked<\/a>, according to TechCrunch.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_the_attack_worked\"><\/span>How the attack worked<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The method exploited a flaw in Meta\u2019s AI Support Assistant, which the company\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/about.fb.com\/news\/2026\/03\/boosting-your-support-and-safety-on-metas-apps-with-ai\/\" target=\"_blank\" rel=\"nofollow noopener\">rolled out in March 2026<\/a>\u00a0with the ability to \u201cresolve account issues from start to finish,\u201d including resetting passwords. The chatbot was designed to replace human support agents for routine account recovery tasks.<\/p>\n<div class=\"inarticle-wrapper latest channel-cta hs-embed-tnw\">\n<div id=\"hs-embed-tnw\" class=\"channel-cta-wrapper\">\n<div class=\"channel-cta-img\"><img decoding=\"async\" class=\"js-lazy\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/p>\n<div class=\"channel-cta-input\">\n<p class=\"channel-cta-title\">The \ud83d\udc9c of EU tech<\/p>\n<p class=\"channel-cta-tagline\">The latest rumblings from the EU tech scene, a story from our wise ol&#8217; founder Boris, and some questionable AI art. It&#8217;s free, every week, in your inbox. Sign up now!<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>An attacker would identify a target account, typically a short \u201cOG\u201d username worth thousands on underground markets. They would use a VPN to spoof the target\u2019s presumed location, open a chat with the AI support bot, and simply claim to be the account owner. The bot would then link the attacker\u2019s email address to the target account without asking for any proof of ownership.<\/p>\n<p>A human support agent would have verified the caller\u2019s identity before making such a change. The chatbot did not.\u00a0Two-factor authentication\u00a0may have blocked some takeovers, but accounts without it enabled were vulnerable to compromise in minutes.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"A_grey_market_for_stolen_handles\"><\/span>A grey market for stolen handles<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For years,\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.vice.com\/en\/article\/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin\/\" target=\"_blank\" rel=\"nofollow noopener\">a flourishing underground market<\/a>\u00a0has existed for so-called OG usernames, the short, desirable handles claimed by Instagram\u2019s earliest users. Previous methods of stealing them required technical sophistication: phishing the victim, bribing telecom insiders to perform SIM swaps, or compromising email accounts.<\/p>\n<p>This attack lowered the barrier to entry dramatically. The hackers who shared the technique on Telegram were advertising apparently stolen handles for sale, including common forenames and country names that function as collectibles in this grey market. TechCrunch reported that the sales continued even after Meta\u2019s announced fix.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Meta_scrambles_to_notify_victims\"><\/span>Meta scrambles to notify victims<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Meta has been sending password reset emails and security notifications to users whose accounts were targeted. Several victims reported receiving messages from Instagram warning that the company had \u201cdetected some suspicious activity that suggests your Instagram may have been compromised,\u201d along with instructions to reset their passwords.<\/p>\n<p>Stone told TechCrunch that Meta secured affected accounts on Monday before beginning its notification campaign. He declined to say how many users were compromised. Meta also disputed that the Obama White House account was taken over using this specific method, though it confirmed the account was hacked.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_cost_of_automating_trust\"><\/span>The cost of automating trust<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The incident exposes a fundamental tension in\u00a0deploying AI agents with real-world authority. Meta built its support chatbot to perform actions that previously required a human in the loop, but it shipped that capability without the verification checks that human agents would have applied as a matter of course.<\/p>\n<p>It is a pattern the industry has seen before. When\u00a0Instagram account recovery\u00a0was handled by humans, the process was slow and often frustrating, but it at least required the requester to prove they were who they claimed to be. Automating that process without preserving the identity-verification step turned a bottleneck into a vulnerability.<\/p>\n<p>The broader lesson is not that AI should never handle sensitive account operations, but that\u00a0authentication remains a problem no chatbot can shortcut. Meta gave its AI the power to hand over the keys. The hackers simply walked up and asked for them.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/hackers-asked-metas-ai-chatbot-to-hand-over-instagram-accounts-and-it-did\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Hackers hijacked high-profile Instagram accounts by asking Meta\u2019s AI support chatbot to change account email addresses without identity verification. Meta says the flaw is fixed, but attacks reportedly continued after the company\u2019s announcement. No phishing link. No malware. No SIM swap.\u00a0Hackers took over high-profile Instagram accounts\u00a0over the weekend by doing something disarmingly simple: they&#8230;<\/p>\n","protected":false},"author":1,"featured_media":731316,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/05\/meta-acquires-assured-robot-intelligence-humanoid.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-731315","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=731315"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731315\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/731316"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=731315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=731315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=731315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}