Instagram AI Chatbot Security Flaw Allowed Account Hijacks, Obama-Era Account Compromised

A critical security flaw in Instagram's AI support system allowed hackers to hijack user accounts, the company confirmed after reports surfaced across social media platforms.

The exploit reportedly permitted unauthorised individuals to reset passwords and change associated email addresses by deceiving the AI chatbot into believing they were the legitimate account holders. This was allegedly achieved by faking location data, often using Virtual Private Networks (VPNs), and then requesting the AI assistant to link a new email for verification purposes.

Meta spokesperson Andy Stone stated the issue has been resolved and affected accounts are being secured. Stone dismissed claims that accounts belonging to world leaders were compromised, although tech news outlet 404media reported that a verified Instagram account used by former US President Barack Obama during his White House tenure was among those reportedly affected. This account allegedly posted pro-Iran material before being recovered.

Among those claiming to be impacted was security researcher and former Meta employee, Jane Manchun Wong, who reported her Instagram password was changed without her knowledge. Cyber security researcher Dark Web Informer also shared videos illustrating the exploit's mechanics, showing how the AI bot could be manipulated to send password reset links to a hacker's email address.

The incident highlights ongoing concerns regarding the security implications of increasingly autonomous AI systems, particularly when deployed in sensitive areas like account recovery. Marijus Briedis, Chief Technology Officer at NordVPN, cautioned that AI chatbots with excessive authority and insufficient verification present significant security risks, stressing that account recovery procedures should prioritise robust verification over mere convenience.