🔍AI RiskAtlas
← Real-world cases

Meta AI support bot tricked into hijacking Instagram accounts

Real-world incident31 May 2026 – 01 Jun 2026

Over the weekend of 31 May – 01 Jun 2026, instructions and a demonstration video circulated on Telegram showing how to abuse Meta's AI customer-support assistant to seize Instagram accounts, according to Krebs on Security and TechCrunch. The reported technique relied on social-engineering the agent's account-recovery workflow rather than a classic prompt-injection/jailbreak: connect via a VPN with an IP near the target's hometown to avoid automated security flags, request a password reset, divert to the AI support assistant, and instruct it to add a new (attacker-controlled) email to the account. The bot allegedly attached the email and sent a one-time verification code to it; returning that code surfaced a reset-password option, letting the attacker change the password and lock out the legitimate owner — all without ever controlling the account's real email address. Reporting indicates accounts protected by any form of multi-factor authentication (even SMS) were not vulnerable. Named victims included the Obama-era White House Instagram account (inactive since 2017) and the account of U.S. Space Force Chief Master Sergeant John Bentivegna; several were briefly defaced with pro-Iran imagery. Meta/Instagram spokesperson Andy Stone said the issue was resolved (reportedly via an emergency fix) by 02 Jun 2026. This is illustrative of an agentic-AI confused-deputy / excessive-agency failure: a support agent endowed with privileged identity and account-recovery actions performed them on behalf of an unauthorized requester. The mechanics here are illustrative of the reported pattern, not an operational guide, and circulating scale figures (e.g. tens of thousands of accounts targeted/breached) varied across secondary outlets and were not confirmed by the primary sources.

More cases on Confused Deputy (cross-agent)

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗