Attackers took over high-profile Instagram accounts, including the Obama White House account and a US Space Force commander’s page, by simply asking the Meta AI support assistant to swap the email address on the account. The wave of takeovers started May 29, and Meta only confirmed a fix on June 2.
Key Takeaways
- Meta’s AI chatbot was manipulated into changing account email addresses without authenticating the requester as the legitimate owner.
- High-value handles were resold on Telegram within minutes; two compromised accounts had a combined estimated value above one million dollars.
- Meta deployed an emergency hotfix on May 29 evening, but a variant via Facebook’s recovery flow may still be active.
The Attack: How It Worked
Meta rolled out its Meta AI support assistant to all Facebook and Instagram accounts in March, including for security operations: password resets, account recovery, and suspicious activity detection. The company positioned the AI as a defense against account takeovers. It became the attack surface itself.
The method is straightforward. The attacker activates a VPN to match the target account’s geographic region. They initiate a password reset request, then ask the Meta AI chatbot to change the account’s email address. The chatbot executes the change without verifying the requester is the actual account owner. A confirmation code goes to the attacker’s email. Access transferred.
For accounts with biometric verification layers, attackers ran existing photos of the target through AI video generators to produce deepfake clips capable of passing automated identity checks. AI was used to both exploit the vulnerability and bypass the secondary defense layer.
The method had been circulating in Telegram channels since late March. The mass exploitation wave started May 29. Dozens of high-value accounts changed hands within hours. Meta’s emergency patch arrived that same evening. The most valuable accounts had already been resold.
Victims who want to officially dispute a stolen account enter Meta’s manual review process, which takes days. The stolen accounts were already being resold on Telegram within minutes of compromise. That gap between attack speed and recovery speed is itself a structural problem.
The Design Flaw Behind the Vulnerability
This incident is not an edge case. It is the predictable outcome of a design decision: giving a chatbot AI the ability to perform irreversible privileged actions without robust identity verification at the point of request. No push notification was sent to the account owner’s authenticated device. No confirmation email was sent to the original address. The AI could change account credentials with no check against the legitimate owner’s real-time awareness.
Security researchers call this a “confused deputy” attack. The Meta AI chatbot acts as a trusted intermediary that external actors manipulate to obtain permissions they would never receive through standard access controls. The flaw is not in the AI model’s reasoning. It’s in the system architecture that granted those permissions without appropriate gates.
Short, high-value usernames (two to four character “OG handles”) and accounts belonging to public figures or organizations were the primary targets. Their market value on gray markets justifies the minimal effort the attack requires. Two handles compromised in this wave had a combined estimated value above one million dollars.
Meta is not the only platform deploying AI chatbots in authentication and account recovery flows. This attack is an industry-wide warning about the risks of delegating irreversible privileged actions to AI agents without hardened identity verification at each step.
Meta confirmed the fix publicly on June 2. The company has not disclosed the total number of accounts compromised or the full scope of the financial damage. A variant of the attack using Facebook’s account recovery flow is reportedly still active.
Also on Horizon:
- Trump’s New AI Oversight Order: What Changed
- Alphabet Raises $80 Billion to Finance Its AI Infrastructure
- Claude Mythos Secures Critical Infrastructure in 15 Nations
Implications for Security and AI Agent Deployment
In the short term, Meta’s patch reduces the primary attack vector. But recovery for victims remains slow, trust in Meta AI for security-related actions has taken a structural hit, and the Facebook variant leaves the underlying risk category open. Creators and brands whose accounts are commercial assets are right to be concerned.
Over the medium term, this incident will accelerate the industry conversation about standards for AI agent permission scoping. The question is no longer “should AI handle user requests?” but “which specific actions can an AI agent perform irreversibly without a separate identity confirmation step?” The answer for account credential changes should have been obvious from the start.
The regulatory context sharpens the implications. The revised AI oversight order signed this week mandates the DOJ to prioritize AI-assisted crimes, including unauthorized access. Large-scale account hijacking using an AI chatbot as the attack surface fits that mandate precisely. Whether enforcement infrastructure is ready to match that mandate is another question.
For users at immediate risk: hardware security keys (passkeys) remain the most robust protection currently available. SMS-based two-factor authentication and email-based recovery flows have both proven vulnerable to this class of attack. A physical key is the only authentication method this attack pattern has not successfully bypassed at scale.
Follow the story on Horizon.
