Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 03, 2026 · 6 min read

Meta's AI Bot Handed Hackers Instagram Accounts

Pro Iranian hackers spent the last weekend of May 2026 chatting up Meta's own AI customer support bot until it added their email address to other people's Instagram accounts, including the official Obama White House account and a US Space Force Chief Master Sergeant. The video walkthrough hit Telegram on May 31 and a Krebs on Security report on June 1 named Lumen's Black Lotus Labs researcher Ian Goldin as the analyst tracking the campaign.

No password was ever guessed. No backend was ever breached. The attackers asked the bot to add a new recovery email to the target account, the bot complied, the bot then sent the one time reset code to that brand new address, and the attackers used it to lock the legitimate owner out. The whole attack ran inside Instagram's official Help Center, against accounts whose owners had done nothing wrong.

Key Takeaways

  • Meta's Instagram customer support AI bot was tricked into linking attacker controlled email addresses to victim accounts between May 31 and June 1, 2026, enabling full password resets with no credential theft.
  • Ian Goldin of Lumen's Black Lotus Labs confirmed the playbook circulated on Telegram with step by step instructions and proof of compromise videos, naming the Obama White House and a US Space Force Chief Master Sergeant among the targets.
  • Short Instagram usernames worth more than $500,000 each were the primary objective, and Meta's Andy Stone confirmed an emergency patch went out over the weekend without a public CVE or full victim count.
  • Accounts protected with an authenticator app or hardware key second factor survived the attack untouched, because the bot's one time code went to the new email instead of the trusted second factor.
A late night workstation with multiple monitors showing a social media login screen and a customer support chat conversation, photographed over the shoulder of a hooded figure typing on a keyboard

How Did the Attack Actually Work?

The trick was nothing more than a polite conversation with Meta's automated help desk. Attackers first spun up a VPN exit node inside the city the target account was registered to, so the chat session looked like it was coming from the real owner's neighborhood. They then opened Instagram's in app help, started a password reset, and let the AI agent take over.

When the bot asked for an alternate recovery email, the attackers gave it one they controlled and asked the assistant to add it to the account. The bot complied. Within seconds, the same bot sent a one time login code to that newly attached email, and the attackers used it to lock the legitimate owner out. Lumen's Ian Goldin, the Black Lotus Labs researcher who tracked the campaign, told Krebs on Security that the videos demonstrating the technique were already circulating on Telegram by May 31.

Who Got Hit?

The targets read like a hijacker's wish list. Public reporting confirms two of the takeovers were the Obama White House Instagram account and a US Space Force Chief Master Sergeant. According to Goldin, the attackers were focused on what underground markets call OG handles, short usernames that trade for $50,000 to $500,000 in private resale forums. Government accounts have value in that economy because they imply credibility; an attacker who controls a verified former White House account can run influence operations or scam followers before anyone notices.

Meta has not published a victim count. Spokesperson Andy Stone confirmed on X that engineers shipped a patch over the weekend and said no backend database had been compromised. That last part is technically true and also beside the point. The attacker did not need a database. The attacker had a chatbot.

Why Is an AI Customer Support Bot a New Attack Surface?

For decades, account recovery was guarded by human agents who could be socially engineered, then by static decision trees that were brittle but predictable. Meta's recent shift to a generative AI assistant for first line support replaced the decision tree with something that wants to be helpful by design.

"AI chatbots create interesting new attack surface, and we're likely going to see a lot more of these kinds of attacks," Goldin said. The reason is structural. A traditional support workflow is bounded by what an engineer wrote into the form. A large language model is bounded by what the system prompt and the safety rails happen to cover, and those rails are written in natural language by humans who cannot anticipate every clever phrasing. If the bot is allowed to modify account state at all, every clever phrasing is an attack.

Has This Happened Before?

Yes, and that is the second uncomfortable part. The same pattern keeps showing up. In 2024 Air Canada's customer service chatbot promised a bereavement refund the airline did not actually offer, and a tribunal forced the company to honor it. Chevrolet's dealership chatbot was talked into selling a 2024 Tahoe for one dollar. The Gemini for Workspace summarization flaw we covered in the Gmail Gemini prompt injection writeup showed an attacker can hide instructions inside an email so that a click on Summarize emits a fake password compromised warning.

What Meta's Instagram incident demonstrates is that the boundary between an amusing chatbot mistake and high value account theft is the access the bot has. When the bot can update recovery emails, the bot becomes the recovery channel, and the recovery channel becomes whoever the bot believes.

What Should Instagram Users Do Right Now?

Three things, in order of how much they protect you:

  1. Turn on a non SMS multi factor method. In Instagram go to Settings, Accounts Center, Password and security, Two factor authentication, and choose an authenticator app or a hardware security key. The bot's one time codes were sent to the attacker's new email, but a second factor lives somewhere the bot cannot touch.
  2. Check the email addresses attached to your account. Settings, Accounts Center, Personal details. Anything you do not recognize, remove. Then change your primary email password.
  3. Lock down the email account itself. If an attacker can take over the inbox, they can run the same recovery flow against every service in your life, not just Instagram. Use a unique password, enable a hardware key or passkey, and check the recent activity page for sessions you did not start.

What Companies Should Take Away

If your product roadmap includes an AI agent that can write to account state, change emails, reset passwords, link a phone, or modify billing, assume that agent will be talked into doing it on behalf of an attacker within the first quarter of going live. The right control is not better guardrails in the system prompt. It is removing the bot's ability to make sensitive changes at all, and routing those flows back through cryptographically verifiable steps the user controls: a passkey prompt, a hardware key tap, an out of band push that originates on a device already enrolled to the legitimate owner.

Meta has not said publicly whether it has done this, only that it patched the specific exploit. The patch closes one door. The doorway, an AI agent with write access to recovery channels, is still in the wall.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.