Instagram has said it has resolved a security issue that reportedly allowed hackers to trick its artificial intelligence support tool into granting access to other users’ accounts.
The alleged vulnerability, which was demonstrated in screenshots and videos shared on social media, reportedly enabled attackers to take over Instagram accounts by manipulating the platform’s AI-powered account recovery process.
According to the claims, hackers could fake their location using a virtual private network, search for a target account during the recovery process, and then ask Instagram’s Meta AI support assistant to link a new email address to the account.
The AI tool allegedly complied by sending a verification code to the hacker’s email address. Once the code was verified, the attacker would reportedly receive a link enabling them to change the account password.
Meta spokesperson, Andy Stone, confirmed the issue in a post on X, saying the company had resolved it and was working to secure affected accounts.
“This issue has been resolved and we are securing impacted accounts,” Stone said.
He, however, rejected claims that the vulnerability had been used to hack accounts belonging to world leaders, describing such reports as “totally false.”
The controversy followed reports by tech outlet 404 Media that posts about the vulnerability coincided with a series of high-profile Instagram account takeovers.
One of the affected accounts was reportedly a verified Instagram account used by former United States President Barack Obama while he was in the White House. The account was said to have posted pro-Iran content before it was recovered.
It remains unclear how many Instagram users were affected by the apparent exploit.
Among those who claimed to have been affected was security researcher and former Meta employee, Jane Manchun Wong.
Wong, who previously worked at Meta as a security engineer, said her Instagram password was changed without her knowledge.
“My Instagram password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” she wrote on X.
“Quite concerning,” she added.
The incident has renewed concerns about the growing use of AI systems in customer support and account recovery processes, especially where such tools are given authority to make changes affecting user security.
Videos shared on social media purportedly showed how the exploit worked. In one clip shared by cybersecurity researcher Dark Web Informer, a user appeared to search for the account they wanted to access, used a VPN to mimic the account holder’s location, and then requested that the Meta AI support assistant link a new email address to the account.
The bot allegedly processed the request and sent a verification code to the attacker’s email, followed by a password reset link.
The development also revived complaints about the difficulty many users face in getting human support from Meta when their accounts are hacked or wrongly suspended.
One user on X said they could not find any human support after their Instagram account was compromised.
“We’re at the point where one AI stole it and another can’t fix it, zero humans in the loop anywhere,” the user wrote.
Meta has previously faced criticism over its handling of hacked and suspended accounts, with many users complaining that automated systems make it difficult to recover access or receive meaningful support.
An independent body that handles disputes from social media users in the European Union recently said Meta rarely responds when it raises cases involving users who claim they were wrongly locked out of their accounts.
The incident also comes as Meta continues to invest heavily in artificial intelligence while reducing parts of its workforce.
Although Instagram says the issue has now been resolved, the reported exploit has raised fresh questions about whether AI support tools should be allowed to handle sensitive account recovery requests without stricter human review, stronger verification checks and clearer safeguards for users.
More details here...
