ZadeNor AI
Back to Blog
Cybersecurity

Hackers Used Meta's AI Support Bot to Seize Instagram Accounts

June 8, 2026
5 min
277 views
By ZadeNor AI Team
Hackers Used Meta's AI Support Bot to Seize Instagram Accounts

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Hackers Exploit Meta's AI Support Bot to Seize Instagram Accounts

A recent string of high-profile hacks has exposed a significant vulnerability in Meta's AI-powered customer support system. The attackers, who claimed to be pro-Iranian hackers, used a remarkably simple exploit to reset the passwords of several high-value Instagram accounts, including those of the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The incident has raised serious concerns about the security of AI-powered customer support systems and the potential for future attacks.

How the Hackers Exploited the System

According to a video released on Telegram, the hackers used a VPN connection with an IP address in or near the target's usual hometown to request a password reset for the account. They then chose to chat with Meta's AI support assistant, which dutifully sent a one-time code to the account's email address, allowing the hackers to reset the password. The attackers claimed that this exploit worked against multiple high-value accounts, which they estimated to be worth over half a million dollars.

The Role of AI in Customer Support

Meta's AI-powered customer support system was designed to reduce friction for legitimate users stuck in account-access hell. The system uses a conversational AI layer to handle common recovery workflows, such as relinking a lost email address or triggering a password reset. However, as Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, pointed out, AI chatbots create interesting new attack surfaces, and we're likely going to see a lot more of these kinds of attacks.

The Security Implications

The hack highlights the potential risks of relying on AI-powered customer support systems. Just like human customer support employees can be social engineered into providing unauthorized access to someone's account, AI bots are equally eager to help and vulnerable to persuasion and trickery. The attackers exploited the system's trust in the user's location and email address, which is a common vulnerability in many AI-powered systems.

Securing Your Online Accounts

To secure your online accounts, it's essential to take full advantage of the most secure form of multi-factor authentication (MFA) offered. In this case, even using the least robust form of MFA that Instagram offers – a one-time code sent via SMS – likely would have blocked the exploit. The hackers who released the video on Telegram said their exploit failed to work against any accounts that had MFA enabled.

The Future of AI-Powered Customer Support

As more large online platforms start allowing AI chatbots to handle sensitive account recovery requests, we're entering uncharted security territory. The hack highlights the need for greater security measures to protect against these kinds of attacks. It's essential for companies to implement robust security protocols and to educate users about the potential risks of relying on AI-powered customer support systems.

Conclusion

The recent hack of Instagram accounts using Meta's AI support bot has exposed a significant vulnerability in AI-powered customer support systems. The incident highlights the potential risks of relying on AI-powered systems and the need for greater security measures to protect against these kinds of attacks. As we move forward, it's essential for companies to prioritize security and to educate users about the potential risks of relying on AI-powered customer support systems.

Forward-Looking Thoughts

The hack of Instagram accounts using Meta's AI support bot is a wake-up call for companies to prioritize security and to implement robust security protocols. As AI-powered customer support systems become more prevalent, we can expect to see more attacks like this in the future. It's essential for companies to stay ahead of the curve and to invest in security measures that can protect against these kinds of attacks. By doing so, we can ensure that AI-powered customer support systems are secure and reliable for users.

Source: https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

Source: https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

430
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

422
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

600
5 min