It started with a VPN, a chat window, and a very cooperative chatbot.
Between late May and early June 2026, attackers exploited a critical vulnerability in Meta's AI Support Assistant to take over more than 20,000 Instagram accounts — with almost no technical skill required. Meta has since confirmed the fix, but the incident raises uncomfortable questions about the risks of deploying AI in high-stakes account security roles.
How the Attack Worked
The method was deceptively simple. Using a VPN to spoof the target's likely location — which helped bypass Instagram's automated security flags — an attacker would open a conversation with Meta's AI support bot and ask it to add a new email address to the victim's account. The chatbot would then send a verification code to the attacker-controlled email. After sharing that code back with the bot, a password reset button would appear, handing over full account access.
The critical weakness: at no point did the attacker need access to the victim's actual email or phone number. Standard verification was bypassed entirely because the chatbot, designed to be helpful with account recovery, couldn't distinguish between a legitimate account owner and an impersonator.
Who Was Affected
Instagram notified at least 20,225 people that their accounts had been compromised. Among the confirmed victims were the inactive Instagram account previously used by Barack Obama's White House team and the account of U.S. Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also reported that her password had been changed without her knowledge.
Meta introduced its AI Support Assistant in March 2026, positioning it as a way to streamline account recovery and reduce friction for users locked out of their profiles. In practice, the absence of robust verification created an opening that bad actors found quickly.
Meta's Response
Instagram spokesperson Andy Stone confirmed the issue was fixed, though Meta did not disclose the full number of affected accounts beyond the notification figure, nor did it detail the additional security measures it plans to implement going forward.
The incident is a stark reminder that AI systems placed in security-critical roles need considerably more scrutiny than a standard customer service bot — and that the drive for frictionless support and the need for rigorous identity verification are difficult to optimize for simultaneously.