Instagram Accounts Hijacked by Tricking Meta's AI Support Bot

A New Kind of Account Takeover

Hackers have discovered they can manipulate Meta's AI support chatbot to hijack Instagram accounts without ever cracking a password. This attack exploits the automated customer service system itself, and it's working. If you or your family members use Instagram, this matters right now.

The Details

Here's how the attack works. Hackers target a specific Instagram account they want to take over. Instead of trying to guess passwords or send phishing links, they go straight to Meta's AI-powered support chatbot.

Using a VPN to fake their location and match the victim's general area, attackers start a conversation with the automated assistant. Through carefully crafted requests and social engineering tactics, they convince the AI bot that they are the legitimate account owner who needs help. The bot, designed to be helpful and resolve issues quickly, can be tricked into adding the attacker's email address to the victim's account.

Once the attacker's email is added, they can reset the password and lock out the real owner. The victim often doesn't realize what's happened until they're suddenly unable to log in. No phishing email was clicked. No password was weak. The AI system itself became the vulnerability.

Who Is Affected

Anyone with an Instagram account is potentially at risk, but certain groups face higher danger. Influencers, content creators, and business accounts are attractive targets because of their follower counts and potential for scams. Teenagers and young adults who use Instagram as their primary social platform should pay close attention.

Parents should be particularly concerned if their children have Instagram accounts, especially if those accounts are linked to email addresses the kids manage themselves. Older adults who use Instagram to stay connected with family may not notice suspicious activity as quickly, making them vulnerable targets as well.

What You Should Do Right Now

1. Turn on two-factor authentication for your Instagram account immediately. Go to Settings > Security > Two-Factor Authentication and enable it using an authenticator app, not just SMS texts.

Review the email addresses linked to your Instagram account. Go to Settings > Account Center > Personal Details > Contact Info. Remove any email addresses you don't recognize.

Check your recent login activity. In Instagram, go to Settings > Security > Login Activity. Look for logins from unfamiliar locations or devices.

Use a unique, strong password for Instagram that you don't use anywhere else. Consider using a password manager to generate and store it securely.

Talk to family members who use Instagram, especially teens and seniors. Make sure they know to check their account security settings and watch for unusual password reset emails they didn't request.

The Bigger Picture

This attack reveals a troubling trend: AI systems are creating new security vulnerabilities even as they're meant to improve user experience. As companies rush to automate customer service with chatbots, attackers are learning to exploit the gaps in AI decision-making. These bots lack human judgment and can be manipulated through social engineering just like people can, sometimes more easily.

How GetCyberRight Can Help

Our Cloud Account Takeover Intelligence tool tracks exactly these kinds of emerging threats. We monitor new methods attackers use to compromise social media and cloud accounts so families can stay ahead of evolving risks. Understanding how account takeovers happen is the first step in preventing them from happening to you and your loved ones.