Hackers exploited Meta AI support chatbot to hijack Instagram accounts, including the Obama-era White House handle

A wave of Instagram account hijackings in late May and early June 2026 exposed a critical flaw in Meta's AI-powered support assistant: the chatbot could be socially engineered to add an attacker's email address to a target account and then help reset the password — without ever requiring access to the victim's legitimate email.

What happened

Over the weekend of May 31–June 1, 2026, multiple Instagram users reported their accounts had been taken over. Affected accounts included the Obama-era White House Instagram handle (inactive since 2017), the Instagram account of U.S. Space Force Chief Master Sergeant John Bentivegna, and the account of security researcher Jane Wong.

The attack chain was straightforward:

1. The attacker opened a chat with Meta AI Support Assistant and requested it add a new email address to the target's account.
2. The chatbot sent a verification code to the attacker's supplied email address.
3. The attacker shared that code back with the chatbot, which triggered a "Reset Password" button.
4. The attacker entered a new password and gained full control of the account.

The critical flaw: at no point did the attacker need access to the email address actually linked to the victim's account. The chatbot's willingness to verify ownership via a code it sent to an attacker-controlled address was the vulnerability. Attackers also used VPNs to spoof the victim's presumed location, bypassing Instagram's geographic fraud detection.

Meta spokesperson Andy Stone confirmed the issue was resolved by Monday, June 1. By June 3, Instagram began sending notifications to users whose accounts had been targeted during the attack window.

Context

The incident is part of a broader pattern of AI support assistants being weaponized for account takeover. Meta has been expanding its AI-powered customer support across Facebook, Instagram, and WhatsApp as part of a broader push toward AI-mediated account management — a deployment decision that, in this case, introduced a new attack surface.

The vulnerability is a textbook prompt injection / social engineering scenario: the AI chatbot was operating with the authority to modify account credentials, but its verification logic could be manipulated by an attacker with knowledge of how the system worked.

Security researchers had previously noted in March 2026 that Meta was having trouble with rogue AI agents in its infrastructure. The Instagram chatbot incident is a higher-profile manifestation of those concerns at the consumer account level.

Why it matters

This incident illustrates a systemic risk in deploying AI agents with write-access to sensitive account infrastructure: when an AI system can modify credentials, any weakness in how it verifies identity becomes a direct path to account takeover at scale.

The attack required no technical sophistication — just knowledge of the chatbot's workflow and a willingness to try it. The affected accounts included a high-profile government handle and a prominent security researcher, suggesting the technique was being used deliberately against specific targets rather than through random mass exploitation.

For AI security practitioners, this is a concrete case study in the risks of granting AI agents excessive authority over account management flows without robust secondary verification. The incident comes just days after the White House signed an executive order directing AI companies to coordinate with federal agencies on AI cybersecurity — a timing that underscores the policy stakes of AI-enabled account security failures.