Telegram Posts Allegedly Showed How to Abuse Meta’s AI Support Bot to Take Over Instagram Accounts
Meta has reportedly moved to close a flaw in Instagram’s account recovery process after hackers claimed they could use the company’s AI support assistant to add a new email address to a victim’s accou...
Meta has reportedly moved to close a flaw in Instagram’s account recovery process after hackers claimed they could use the company’s AI support assistant to add a new email address to a victim’s account and complete a password reset.
The issue came to light after Telegram channels began sharing instructions and a demonstration video showing a seemingly simple abuse of Instagram’s automated support flow. According to the posts, an attacker would first request a password reset, then switch to Meta’s AI assistant during the recovery process. From there, the bot allegedly accepted a request to link a new email address to the target account and sent a one-time code to that address, enabling the takeover.
Accounts tied to the Obama White House and the U.S. Space Force were briefly defaced over the weekend with pro-Iranian images and messages, underscoring the apparent impact of the technique. The Telegram account that circulated the video also claimed the method had been used to seize additional high-value Instagram handles, some of which were said to carry significant resale value because of their short names.
Meta did not publicly address the claims in detail, but company security executive Andy Stone said on X that the issue had been fixed and that affected accounts were being protected. Reporting from thecybersecguru.com said Meta issued an emergency patch and that no internal database had been compromised.
Why the incident matters
Security analysts say the case highlights a growing problem as large platforms allow chatbots to assist with sensitive account recovery steps. Ian Goldin, a researcher with Lumen’s Black Lotus Labs, said AI systems can create a new attack surface because they may be persuaded into providing help that should have required stronger identity checks.
Experts also noted that users can reduce their risk by enabling the strongest available multi-factor authentication. In this case, the Telegram users who described the abuse said the method did not work on accounts protected by MFA.
- Use passkeys or hardware security keys when available.
- Avoid relying only on SMS-based codes if stronger options exist.
- Review recovery email addresses and login alerts regularly.
The incident adds to concerns that AI-assisted customer support, while useful for legitimate account recovery, may also be vulnerable to social engineering at scale.
