Instagram has fixed a security problem that let hackers hijack several famous accounts by tricking Instagram’s parent company, Meta’s new artificial intelligence helper, called the Meta AI support assistant.
This incident happened over the weekend and was brought to light when several users on social media platforms like X and Reddit complained of losing control of their Instagram accounts with proof.
The profiles impacted included well-known beauty brand Sephora, a high-ranking US Space Force chief master sergeant John Bentivegna, and security researcher Jane Wong.
Hackers also took over the archived Barack Obama White House account, which has over two million followers, and posted fake pictures and pro-Iranian messages. “The White House is under Shiites’ control,” one of the messages read.
How the Scammers Fooled the Bot
In March, Meta started testing the Meta AI support assistant for Facebook and Instagram. It was supposed to help with things like resetting passwords without a human needing to get involved. But hackers quickly found a major security flaw in the way the AI was programmed to think; it was a logic flaw that forced the AI to trust data in the wrong order.
Exploitation started with using a VPN to hide where their computer really was. They picked a location close to the person they wanted to hack. This made sure Instagram’s security systems didn’t flag anything strange.
Then, they started a chat with the AI assistant. They gave it the username they wanted to take over and asked it to add a new email address to that account. Due to the logic flaw, the bot sent a security verification code to the hacker’s email. When the hacker typed this code back into the chat, the bot gave them a button to change the password. The system even accepted fake selfie videos made by AI tools to bypass identity checks.
The real owners of these accounts didn’t get any warnings, texts, or emails about these changes at all, and even worse, this trick also bypassed two-factor authentication, which usually asks for an extra step to prove it’s you before making big changes.
Watch the full saga of Instagram accounts being compromised one after another, as shared by International Cyber Digest, a cybersecurity news feed on X, formerly Twitter.
Calls for Better Support
Step-by-step videos showing the hacking trick quickly became viral in blackhat hacking groups on Telegram. Security experts following the issue said that valuable short handles like “hey” and “jowo” (collectively valued at around $1 million) were stolen and sold for money.
People who lost control of their accounts complained about being unable to talk to a real Meta representative and get a human worker involved. On Monday, Meta spokesperson Andy Stone posted on social media that the company had fixed the problem and was working to secure the affected accounts again.
