Meta’s AI support assistant enabled hackers to take over Instagram accounts, even bypassing two-factor authentication, according to security researchers. The exploit was flagged over the weekend, with details circulating widely on Telegram, where hackers reportedly instructed the AI chatbot to change email addresses and request password resets for targeted accounts.
Meta is currently addressing the issue but has not disclosed how many accounts were compromised before the exploit was patched. Reports from 404 Media indicate that users discussed the security vulnerability on Telegram since March. Andy Stone, Meta’s VP of communications, confirmed the problem has been resolved and that the company is securing affected accounts.
🚨 Instagram had an exploit that allowed you to use Meta AI to reset passwords to accounts with no MFA on them. The exploit was patched a short time ago.pic.twitter.com/PEUwLvmllj
— Dark Web Informer (@DarkWebInformer) June 1, 2026
Hackers exploited a flaw in the AI tool, which relied on users’ physical locations to provide account support. They used VPNs to masquerade their locations as those of the targeted account holders. Meta highlighted that its systems recognized users’ devices and familiar locations to enhance security, but this mechanism was manipulated.
The timing of the exploit coincided with a series of high-profile account hacks, including that of the Obama White House, which posted a controversial AI-generated image. Other potentially impacted accounts include beauty retailer Sephora and a high-ranking Space Force official, as reported by 404 Media.
