Logic flaw in Meta's AI support chatbot allowed attackers to bypass 2FA and hijack Instagram accounts
By
Guru Baran
FeedBagel synthesis
· 9 sourcesHackers exploited a logic flaw in Meta's AI-powered Instagram support chatbot to bypass two-factor authentication and hijack high-profile accounts, including the Obama White House and U.S. Space Force accounts, which were briefly defaced with pro-Iranian content, as reported by Hacker News and The Verge. The attack required no malware or phishing; attackers simply tricked the bot into changing the email address on a target's account to reset the password, according to multiple sources including The Verge. Stolen usernames were listed for resale on Telegram within minutes, per bsky, and Meta has since patched the issue, The Verge confirmed.
A baker's-dozen of insight crammed into one ring.
Summary
A critical logic flaw in Meta's AI-powered Instagram support chatbot allowed attackers to bypass two-factor authentication and hijack high-value Instagram accounts, including "OG" handles, dormant institutional accounts, and verified profiles. The attack required no malware, phishing, or email access—attackers simply manipulated the AI bot into resetting passwords and handing over account access. Stolen usernames were listed for resale on Telegram within minutes of compromise.
Key quotes
· 3 pulledA critical logic flaw in Meta's AI-powered Instagram support chatbot allowed attackers to bypass two-factor authentication entirely, not by cracking codes, but by simply asking the bot to hand over access.
The attack required no malware, no phishing link, and no access to the victim's email address.
Over the weekend, high-value 'OG' Instagram handles, dormant institutional accounts, and verified profiles were stolen in minutes, with stolen usernames listed for resale on Telegram almost immediately after compromise.
You might also wanna read
Hackers exploited Meta's AI chatbot to hijack Instagram accounts before patch
Meta's AI-powered support chatbot was exploited by hackers to hijack Instagram accounts by tricking it into changing the email associated wi
The Verge·2d ago
Hackers Exploit Meta's AI Support Bot to Hijack High-Profile Instagram Accounts
Hackers exploited Meta's AI customer support bot on Telegram to reset passwords and briefly deface high-profile Instagram accounts, includin
Instagram accounts compromised through AI verification bypass using animated public photos
A wave of Instagram account takeovers, including high-profile ones like the Obama White House account, exploited a flaw in Instagram's AI id
0xsid.com·1d agoInstagram accounts compromised through AI verification bypass using animated public photos
A wave of Instagram account takeovers, including high-profile ones like the Obama White House account, exploited a flaw in Instagram's AI id
0xsid.com·1d ago
Meta launches encrypted 'Incognito Chat' for Meta AI with no server-side conversation logs
Meta CEO Mark Zuckerberg announced Incognito Chat for Meta AI, a new private chat mode that uses end-to-end encryption and 'Private Processi
The Verge·21d ago
Personal Experience: AI Impersonation After Announcing Divorce on Instagram
The author shares a personal experience of announcing their divorce on Instagram, only to have their identity and content stolen by AI imper
eiratansey.com·5mo ago
Instagram Head Warns About AI's Threat to Authenticity on the Platform
Instagram head Adam Mosseri expressed concerns about AI's impact on the platform, warning that AI-generated content threatens authenticity a
The Verge·4mo ago