Meta AI: A Major Security Flaw on Instagram

· Meta, Instagram, IA, sécurité, piratage

Meta AI: A Major Security Flaw on Instagram

A flaw in Meta's support AI allowed hackers to hijack Instagram accounts, including those of celebrities and renowned brands. This vulnerability was exploited for weeks before being fixed.

Meta AI: When Overzealous Assistance Becomes a Security Flaw

2 June 2026

Instagram, Meta's flagship social network, has experienced a wave of hacking in recent months. The cause? A support artificial intelligence (AI) designed to help users, but whose flaws were exploited by hackers. This vulnerability allowed strangers to take over accounts, including those of celebrities and renowned brands.

Support AI with Overly Extensive Powers

Since March 2026, Meta has offered AI support for Instagram and Facebook users. This service, presented as quick and efficient, was supposed to solve account problems from A to Z. Among its features, password reset and changing the email address associated with the account. Sensitive operations, normally protected by strict checks.

However, the AI proved to be too permissive. It allowed changing the email address linked to an account without requiring sufficient proof of the requester's identity. Once this step was completed, hackers could reset the password and take full control of the account. The real owners then found themselves locked out, unable to log back in.

The Hackers' Method: Convincing Rather Than Hacking

Unlike classic attacks, the pirates did not need to crack passwords or exploit complex technical flaws. Their weapon? Manipulation. By contacting the support AI, they posed as the legitimate owners of an allegedly hacked account. They then requested to receive the reset codes on an email address controlled by them.

The AI, programmed to be helpful, complied with this request without batting an eyelid. Once the code was received, the hackers changed the password and locked the real owner out of their account. This technique, simple but effective, worked for weeks before Meta detected the problem.

Prestigious Accounts Among the Victims

The consequences of this flaw were visible. Several high-profile accounts were compromised. Among them, the one attributed to Barack Obama, former President of the United States, as well as the official profile of Sephora, the famous cosmetics brand. An account linked to the Space Force, the space branch of the US military, was also hacked.

The hackers took advantage of these takeovers to spread fraudulent content, such as cryptocurrency scams or malicious links. Subscribers, believing they were interacting with a reliable source, were more likely to fall into the trap. These incidents highlighted the risks associated with the automated management of sensitive accounts.

Two-Factor Authentication, an Effective Protection

Not all accounts were vulnerable. Those equipped with two-factor authentication (2FA) resisted the attacks. This system, which requires an additional code sent by SMS or generated by an application, blocked the takeover attempts. Even if the email address was changed, the hackers could not bypass this second barrier.

This flaw reminds us of the importance of securing accounts with additional measures. 2FA, often perceived as cumbersome, proved to be indispensable here. Users who had not activated it were the first targets of the pirates.

Meta's Response: Corrections and Unanswered Questions

Meta finally fixed the flaw after several weeks of exposure. The company strengthened the checks required by its AI before any email address change. Now, additional proof, such as confirmation via a trusted device, is required. These measures should limit the risks of manipulation.

However, this incident raises questions about the design of AI assistants. How can a system designed to help become a vector of attacks? Were the security tests before deployment sufficient? Meta has not communicated on any negligence in the development of its AI. Users remain awaiting stronger guarantees.

How to Protect Against This Type of Hacking

Instagram and Facebook users can take steps to avoid suffering the same fate. Here are the essential precautions:

1. Enable two-factor authentication: 2FA remains the best protection against takeovers. Even if a hacker gets the password, they won't be able to access the account without the second factor. 2. Check associated email addresses: Regularly, ensure that only a controlled address is linked to the account. Any unsolicited changes should raise an alert. 3. Beware of suspicious messages: Unrequested reset notifications may indicate a hacking attempt. Never click on links sent by email without verification. 4. Use unique passwords: A different password for each service limits risks in case of a leak. Password managers facilitate this practice. 5. Monitor unusual activities: Social networks send alerts in case of login from a new device. These notifications should be taken seriously.

AI at the service of hackers: a growing risk

This case illustrates a broader phenomenon: the exploitation of automated systems by malicious actors. AI, increasingly present in online services, are becoming targets for hackers. Their strength—their ability to quickly process requests—can also be their weakness if they are not sufficiently secured.

Companies must integrate security from the design of their AI tools. This involves rigorous testing, regular updates, and constant monitoring of abnormal behaviors. Users, on the other hand, must remain vigilant. AI can be a valuable ally, but it does not replace common sense in cybersecurity.

Conclusion: towards better regulation of AI assistants?

The hacking of Instagram accounts via Meta's AI marks a turning point. It shows that the automation of customer services, while convenient, can also open dangerous breaches. Companies must find a balance between efficiency and security. Users, for their part, must adopt protective measures, such as two-factor authentication.

In the future, regulators may be led to more strictly regulate the development of AI assistants. Minimum security standards, independent audits, and sanctions in case of negligence could become the norm. In the meantime, this case reminds us of a simple truth: in the digital world, vigilance remains the best protection.

Key Points

  • Meta's support AI allowed the hacking of Instagram accounts.
  • Hackers exploited a flaw in password resets.
  • Prestigious accounts like that of Barack Obama were compromised.
  • Two-factor authentication proved effective against these attacks.
  • Meta fixed the flaw after several weeks of exposure.

Sources

  1. Next.ink - "☕️ L’assistant IA de Meta permettait de voler des comptes Instagram". (secondary)
  2. TechCrunch - "Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access". (secondary)
  3. Clubic - "Bernée, Meta AI a aidé des hackers à pirater des comptes Instagram". (secondary)
  4. Korben - "Instagram - Le chatbot de Meta donnait les clés des comptes". (secondary)
  5. Publico Portugal - "Inteligência artificial da Meta enganada para entregar contas de Instagram". (secondary)
  6. Heise DE - "KI-Chatbot von Meta hat Angreifern bei Übernahme von Instagram-Accounts geholfen". (secondary)

Transparency: 6 sources (0 primary, 6 secondary). Verification: June 2, 2026.

Truthyx - June 2, 2026