Meta AI Support Flaw Enables Instagram Account Takeovers
Attackers exploited weak identity verification in Meta’s AI support chatbot to seize control of Instagram accounts, including those of the Obama White House and the US Space Force.
High-profile Instagram accounts, including the official Obama White House page and the account of the Chief Master Sergeant of the US Space Force, were compromised through a critical vulnerability in Meta’s AI-driven customer support system. The exploit allowed malicious actors to bypass standard security protocols, including two-factor authentication, by resetting passwords to arbitrary email addresses they controlled. The flaw remained active for weeks, if not months, before Meta reportedly patched the issue.
The attack vector began with the attacker initiating a support request via Meta’s AI chatbot, claiming the account had been hacked. To avoid triggering security algorithms, attackers utilised virtual private networks or proxies to mimic the victim’s geographic location. Once the request appeared to originate from the correct region, the AI support system accepted the request for a password reset to an unlinked email address without verifying whether the address had previously been associated with the account.
Identity verification within the system was notably weak, with reports indicating that AI-generated images or animated public photos from the victim’s feed were accepted as valid proof of identity. In some instances, the system requested a video selfie, but the AI proved undiscerning enough to accept pre-existing public content. This low-security measure allowed attackers to complete the verification process and receive a fresh password reset link, granting them full ownership of the compromised accounts.
The reset process functioned as a total account takeover, revoking all existing sessions and changing linked contact details without notifying the original owner via email, text, or push notification. Because the system treated the recovery flow as a legitimate action by the account owner, the original two-factor authentication was thoroughly bypassed. The actual owner was subsequently locked out, unable to initiate recovery as their contact details now mapped to the attacker, with no human escalation path available.
Black market Telegram groups had been offering account takeover services for short, valuable usernames, with some accounts flipped for hundreds of thousands or millions of dollars. While the Obama White House account and the US Space Force Chief Master Sergeant’s account were used for propaganda, other high-value handles were sold on the secondary market. The AI support option cannot be disabled for accounts included in the A/B testing programme, leaving users in those groups vulnerable until the patch was applied.
