Instagram says it fixed a flaw that allowed hackers to trick its AI support chatbot into changing account details. Here’s what happened, who was affected, and how you can better protect your account.
Table of Contents
What Happened?
According to the BBC, Instagram’s parent company — Meta — confirmed that hackers recently exploited its AI-powered support tool to gain access to other users’ Instagram accounts. The company said the issue has now been fixed, and affected accounts are being secured.
Reports shared on social media showed that attackers could convince the chatbot to change the email address connected to another person’s account. Once the email was changed, they could request a password reset and take control of the account.
The issue reportedly coincided with several high-profile account takeovers, including an Instagram account previously used by Barack Obama during his time in the White House.
Who Was Affected and What Information Was Involved?
Meta has not publicly said how many Instagram users were affected.
Based on reports, attackers were able to gain access to some accounts by changing account recovery information. This could allow them to control the account, change passwords, and lock the original owner out.
The company has not shared details about whether any personal information was stolen from affected users.
Account takeovers can create problems long after access is restored. Criminals often use hijacked accounts to impersonate victims, send scam messages, promote fraud, or target friends and family members.
Many people do not realize their account security has been weakened until they notice unusual activity, password reset emails, or messages they never sent.
If you’re not sure whether your information was leaked somewhere online, checking regularly can help you spot problems earlier.
With Futureproof, you can quickly check whether your email appeared in known leaks and get simple steps to secure your account.
How Did the Account Takeovers Happen?
According to reports, attackers abused Instagram’s account recovery process.
Researchers demonstrated that hackers could use a VPN (a tool that makes internet traffic appear to come from a different location) to mimic the victim’s location.
After selecting a target account, they reportedly contacted Instagram’s AI support assistant and requested that a new email address be linked to the account. The chatbot approved the request and sent verification codes to the attacker’s email address. Once verified, the attacker could reset the password and take control of the account.
Cybersecurity experts say this highlights a growing risk when AI systems are given authority to make sensitive account changes without strong identity checks.
Futureproof scans your data for leaks and shows exactly how to close security gaps — before scammers find them first.
Check my safety
At Futureproof, Kevin explains digital safety in simple words, with clear tips and zero fluff. He holds a degree in information technology and studies fraud trends to keep his tips up-to-date.
In his free time, Kevin plays with his cat, enjoys board-game nights, and hunts for New York’s best cinnamon rolls.
