Meta has confirmed it has fixed a security issue in Instagram’s AI support system after reports that hackers were able to trick the chatbot into granting access to other users’ accounts.
The incident reportedly allowed attackers to manipulate Instagram’s automated support tool into changing account credentials, including passwords and associated email addresses, through social engineering tactics.
According to screenshots and videos shared on social media, hackers were able to “hijack” accounts by falsifying location details and interacting with the AI support chatbot as if they were legitimate users requesting account recovery assistance.
Meta spokesperson Andy Stone said the issue has now been resolved and that the company is working to secure affected accounts. He also dismissed claims that the vulnerability had been used to target accounts belonging to world leaders as “totally false.”
Reports from cybersecurity outlets suggested the exploit may have coincided with a series of high-profile Instagram account takeovers, including a verified account previously used by former US President Barack Obama. That account allegedly posted unauthorized content before being recovered.
Security researcher Jane Manchun Wong, a former Meta employee, also claimed her Instagram password was changed without her knowledge and that she experienced repeated password reset attempts.
The method reportedly involved using Instagram’s recovery flow alongside a VPN to mimic the target user’s location. Attackers would then request email changes through the AI support system, receiving verification codes that enabled them to complete account takeover.
The incident has renewed concerns about the growing role of artificial intelligence in customer support systems and the risks of automation without sufficient human oversight.
Meta has previously faced criticism over limited human support for users dealing with hacked or wrongly suspended accounts. Advocacy groups in the EU have also raised concerns about delays and lack of responses when reporting account disputes.
The company says it is continuing to review its systems to prevent similar incidents in future.
