Want to hack an Instagram account? Just ask nicely

Last weekend, several Instagram accounts got hijacked in a way that's equal parts impressive and gloriously embarrassing. Hackers opened Meta's AI support chatbot, asked it to change the recovery email on someone else's account, and it simply did. Possibly the most low-effort Instagram account takeover in recent memory.

Among the compromised accounts were the Obama White House Instagram, Sephora, and the Chief Master Sergeant of the U.S. Space Force.

Back in March, Meta had announced it was pushing AI support to all accounts, giving it the ability to reset passwords and handle critical account functions. Speed and scale. The assumption was that the AI would figure out who the real owner was. It didn't. Once your account is gone, there's no human to escalate to. It's you, arguing with a chatbot, hoping to get back what the chatbot gave away.

Deploying AI for customer support is a security decision as much as a product one. When guard rails get skipped, real people lose accounts and all that comes with them.

MFA (Multi-Factor Authentication) reportedly protected many accounts from this exploit. Go turn it on if you haven't. Meta says the issue is fixed, but the question of how much we trust automated systems with high-stakes actions is very much still open.