By Julian Castillo
Your Instagram account can be stolen without anyone breaking into Meta’s servers or hacking your password. The criminals simply used Meta’s support AI to take control and The vulnerability has already been patched, but thousands of accounts have already been exposed.
All it took was for the hacker to ask the chatbot to change the email associated with the victim account. The AI accepted the request, sent the verification code to the attacker’s email, and allowed the password reset without actual validation. The customary owner was locked out of his own profile while the criminal took control.
How hackers managed to use Meta’s AI to steal Instagram accounts
The attack did not require complex malware or sophisticated exploits. The fault was in the logic of the support chatbotnot on Meta’s internal servers.
The attackers started a conversation with the AI assistant and asked to link the account to a new email. The bot accepted within the long-established recovery flow and sent the verification code to the new email. With that code, the hacker was able to reset the password and take complete control.
In some cases, criminals used VPNs to hide their location and make it appear that the request was coming from close to the victim. This served to avoid automatic security alerts. The key point is that the automated system trusted too quickly and that opened the door to anyone who knew how to ask for change.
The trick that allowed you to change your email without anyone noticing
The vulnerability allowed the Meta assistant to update the email without sufficiently verifying whether the person requesting it was actually the owner of the account. Once updated, the recovery code reached the attacker and not the usual user.
All you had to do was ask the chatbot to make the change within the recovery flow. There was no need for stolen keys or access to the victim’s device.
When an AI goes from answering questions to executing actions on real accounts, the security standard has to be much stricter. The chatbot can not only be useful but can also become an access route for anyone who knows how to use it.
What Meta did next and what it means for your account
Meta confirmed that the issue has now been fixed and that it is securing the affected accounts. The company said there was no breach in its internal systems and that Instagram accounts remain secure.
The bug allowed the credential reset mechanism to be abused without opening the Meta backend. Automation without sufficient barriers can be very expensive when a chatbot acts as a gatekeeper, support and messenger at the same time.
This case confirms that two-step authentication remains the most useful defense. Accounts with additional security measures were not as easy to compromise. Security depends on how many layers your account has before it is exposed.
What you can do to protect yourself
Activate two-step authentication on Instagram and all your important accounts. Regularly check the emails associated with your profiles and be wary of messages that request sudden information for no clear reason.
Meta will have to adjust controls because when a chatbot can change emails and reset passwords with an easy conversation the risk becomes too wide. The same tool that solves your problems can also be the one that creates them if it doesn’t have the brakes on properly.
Keep reading:
• 184 million passwords leaked: are you on the list of affected users?
• What happens to your non-public information after a hack?
• Hackers are using a silent mechanism to steal your passwords and money
