Meta AI agent exploited in simple Instagram account hijack
Attackers bypassed geo-restrictions and directly requested email changes, compromising the dormant Obama White House account and highlighting the tension between AI utility and rigorous security testing.
On 5 June 2026, attackers exploited Meta’s AI customer support agent to hijack Instagram accounts by requesting email address changes. The incident included the compromise of the dormant Obama White House account, which was used to post pro-Iran content. Other accounts with valuable, single-word handles were also taken over, potentially for resale. Meta stated on X that the vulnerability had been resolved.
The exploit required attackers to use a VPN matching the true account owner’s location to bypass geo-restrictions. Once this hurdle was cleared, they directly asked the support agent to change the account’s email address, and the agent complied. Meta has not commented publicly on how this vulnerability slipped through the cracks, though a spokesperson confirmed the fix on Monday.
Experts, including Neil Gong (Duke University) and Jessica Ji (Georgetown University), expressed surprise at the simplicity of the breach, questioning why it was not caught during pre-deployment testing. Gong described the oversight as surprising, noting that such a simple problem should have been uncovered easily. Ji raised questions about whether guardrails were in place and if anyone thought to test for this specific scenario, particularly given Meta’s extensive expertise in AI and cybersecurity.
The incident highlights a broader security trade-off: as AI agents are given more power and fewer guardrails to improve utility, they become more vulnerable to simple, direct prompts. Somesh Jha (University of Wisconsin–Madison) noted that AI agents are often "eager to finish the task," lacking the scepticism a human support agent might exercise. He compared the agents to elementary school students who just want to please the teacher, rather than verifying identity through security questions.
Bo Li (University of Illinois Urbana-Champaign) emphasised that adequate red-teaming is expensive, yet necessary to counter attackers who may invest significant resources for high-value targets. The event aligns with warnings from scholars about indirect prompt injection and other vulnerabilities in AI agents that automate workflows. The 2026 AI Index from Stanford University indicates that AI development is accelerating rapidly, often outpacing security measures.
