A new way to take over Instagram accounts has emerged lately. Hackers used VPN (Virtual Private Network) to communicate with Meta’s AI Bot to avert activation of Instagram’s security systems. Thus, the hacker appeared to be in the same geographical zone as the user of the targeted Instagram account. Hackers took over certain Instagram accounts without credentials or without using the legitimate email address associated with those Instagram accounts.

Meta’s AI Bot had the authority to execute account email-binding as well as password-reset APIs. The hacker instructed the bot to change the email address of the targeted Instagram account. In response the bot requested the hacker to give an email address. Next a verification code was sent to the email address provided by the hacker. The bot then asks the hacker to enter the verification code. After this the bot displays a ‘RESET PASSWORD’ button. Then the hacker puts in a new password.

In the whole process the original Instagram account owner doesn’t get any SMS alert or any email informing about the change to the email address associated with the account. In the end the legitimate Instagram handle owner cannot access his/her Instagram account. In the whole process the hacker doesn’t need to know the registered email address or possess the authentic login credentials. As there is no human oversight there is no check on Meta’s AI bot’s actions. For your information Meta acknowledged this vulnerability and stated that they had fixed it on last Friday. This incident highlights the dangers of granting AI applications capabilities without human oversight. They can be tricked to perform actions without warning.

SOURCES:

https://cybersecuritynews.com/metas-ai-support-bot-instagram/

https://www.404media.co/hackers-simply-asked-meta-ai-to-give-them-access-to-high-profile-instagram-accounts-it-worked/

https://techcrunch.com/2026/06/01/hackers-hijacked-instagram-accounts-by-tricking-meta-ai-support-chatbot-into-granting-access/

https://www.pcmag.com/news/metas-ai-chatbot-allegedly-helped-hackers-hijack-instagram-accounts