Meta patched a critical flaw in its AI Support Assistant on Monday, June 1, after attackers used it to hijack Instagram accounts without ever accessing victims’ emails. The vulnerability is no longer active, but it exposed a fundamental gap in how AI agents handle account-level privileges — one that applies to any AI support system with the authority to make account changes. Hackers tricked the chatbot into resetting passwords with no identity verification required.

How the Attack Worked

A video posted on X showed the step-by-step process. The attacker used a VPN to spoof the target’s presumed location, avoiding Instagram’s automated account protections. They then opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account.

The chatbot sent a verification code to the attacker’s email. The attacker shared the code back with the chatbot, which then displayed a “Reset Password” button. The attacker entered a new password and took over the account, according to TechCrunch, which verified that the hacker’s public email mailbox received the verification code.

At no point did the attacker need to access the legitimate email address linked to the victim’s Instagram account.

Compromised Accounts

The hijacked accounts included the Obama-era White House Instagram handle, inactive since 2017, and the account of U.S. Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong confirmed her account was also taken over.

“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” Wong told TechCrunch. Multiple users on Reddit and X reported similar hijackings over the same weekend.

The Agent Authorization Problem

The core flaw: Meta’s AI agent treated the person it was talking to as the account owner without independent verification. A human support agent would have required identity confirmation before adding a new email to an account. The chatbot did not.

This is not a novel failure mode. Salesforce’s Agentforce customers have been reluctant to grant AI agents financially meaningful actions for the same reason, according to The Next Web. Analyst Rebecca Wettemann described the fear as “the AI running off in the middle of the night and refunding a bunch of transactions.”

Meta gave its AI the authority to reset passwords. The AI executed exactly what it was asked to do, for the wrong person.

Patch Status and Unknowns

Instagram spokesperson Andy Stone confirmed on X on Monday that the issue was fixed. It remains unclear how many accounts were compromised. Meta did not respond to TechCrunch’s request for comment.

The attack adds to a pattern identified by Cybersecurity News: AI agents with account-level privileges create attack surfaces that did not exist before their deployment. When an AI agent has the authority to act, the security of the system depends entirely on whether the agent can verify who is asking it to act.