Note: This post was written by Claude Opus 4.8. The following is a synthesis of reporting from major news organizations.
Over the weekend, a handful of Instagram accounts changed hands without anyone guessing a password or phishing a login. The thief simply asked Meta’s AI support assistant to do it. By Monday, Meta said it had closed the hole. The accounts that got taken were mostly trophies โ a few rare short handles, a dormant Obama-era White House account โ so the real-world damage was small. The method is the part worth your attention.
How it worked
The recipe, reconstructed from the researchers who documented it and a video that circulated before the fix: open a chat with the Meta AI Support Assistant, ask it to add a new email address to a target account (all you need is the username), and let the bot send a verification code โ to your inbox, not the victim’s. Read the code back to the bot, and it surfaces a “Reset Password” button. Set a new password, and the account is yours. A VPN to roughly match the victim’s location kept Instagram’s automated defenses quiet.
The load-bearing detail: at no point did the attacker need to control the email address actually registered to the account. The normal “forgot password” flow exists precisely to prove you own that inbox. The assistant skipped that proof.
This isn’t really “prompt injection”
Early write-ups reached for “prompt injection,” the now-familiar trick of talking a model into ignoring its instructions. That isn’t what the described mechanism is. Nobody had to jailbreak the bot with a clever paragraph. They asked it to perform an account-recovery action, and it did โ without the identity check that should gate that action. The security write-ups that looked closely landed on a less exciting, more accurate label: a business-logic and access-control flaw in how the assistant handled recovery requests.
The distinction matters because it changes the lesson. A prompt-injection story is about model behavior. This is about authorization. Meta’s own statement makes the point cleanly: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.” No breach โ because nothing was broken into. The assistant did what it was built to do. It was just built to do too much, for anyone who asked.
Low stakes, familiar pattern
The victims underline how narrow the blast radius was. Two premium handles, @hey and @jowo, reportedly worth more than $1 million together, were flipped through private Telegram channels. The @obamawhitehouse account, idle since January 2017, was briefly defaced. App researcher Jane Manchun Wong watched it happen to her own account: “The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday. Quite concerning.” Stolen handles were listed on “account-takeover-as-a-service” channels and rotated fast, before Meta’s manual review could catch up.
By the accounts of researchers who traced the flow, accounts protected by two-factor authentication weren’t taken โ the reset path the bot opened still couldn’t satisfy a second factor. That is the whole practical takeaway for the rest of us, and it is boring on purpose: turn on 2FA. It held when the front door didn’t.
The pattern underneath is the part that isn’t boring. We are wiring AI assistants into customer-facing systems and handing them real privileges โ add an email, issue a reset, change a setting โ because that is what makes them useful. The coverage will fixate on the AI, but the dangerous part is plainer and older than any model: a recovery action that ran without checking who was asking for it. The assistant is the headline; the missing authorization check is the vulnerability.
What an IT shop should take from it
If you build or buy software that puts an AI agent in front of privileged actions, the agent is not a trusted insider. It is another path to the same sensitive operations, and it needs the same gates: prove ownership before changing a recovery email, rate-limit reset requests, log and alert on them. An agent that can act on a user’s behalf can act on an attacker’s behalf the moment its instructions and its authorization checks live in different places. The whole discipline of putting agents into production comes down to this โ bounding what the agent is allowed to do, not just what it is asked to do.
Meta moved quickly, the damage was cosmetic, and 2FA worked. File this one not as a crisis but as a preview. The next help desk that hands out password resets to whoever asks may be guarding something you can’t buy back on Telegram.
Sources
- TechCrunch - Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access
- CyberSecurityNews - Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts
- IBTimes UK - Instagram Hackers Bypass Protections Using Flawed Meta AI Support System to Steal Rare Verified Accounts