Hackers Hijacked High-Profile Instagram Accounts by Asking Meta's AI Support Bot Nicely
Attackers seized high-profile Instagram accounts by exploiting a 'confused deputy' flaw in Meta's AI support bot: they asked it to bind a new email, the bot sent the one-time code to the attacker, and the owner was locked out. Meta has pushed an emergency hotfix.
Social-engineering a support agent into handing over an account is an old attack. What is new is that the agent is now an AI with direct write access to the account-recovery APIs — and no instinct to ask who it is really talking to.
MENLO PARK, Calif. — Attackers hijacked a number of high-profile Instagram accounts by tricking Meta's own AI-powered support chatbot into granting them access, exploiting what researchers and reporters describe as a classic 'confused deputy' flaw, in coverage that broke across June 1-2, 2026.
The compromised accounts included an Instagram handle for the Obama-era White House — apparently dormant since 2017 — and the account of U.S. Space Force chief master sergeant John Bentivegna; security researcher Jane Wong said her own account was taken over as well. Meta confirmed the vulnerability and pushed an emergency hotfix.
What Happened
Over June 1-2, 2026, multiple outlets reported that attackers had seized control of several high-profile Instagram accounts not by phishing their owners or guessing passwords, but by manipulating Meta's own AI-powered support chatbot. The technique exploited a 'confused deputy' weakness: the attacker simply asked the chatbot to link the target account to a new email address, and the bot — which had the authority to do so but insufficient verification of who was actually asking — complied. It added the attacker-controlled email to the account and sent a one-time verification code straight to that address. With the code in hand, the attacker completed a password change and locked the legitimate owner out.
The named victims underline the reach. They include an Instagram handle associated with the Obama-era White House that appears to have been inactive since 2017, the account of U.S. Space Force chief master sergeant John Bentivegna, and the personal account of security researcher Jane Wong, who has a long track record of surfacing platform features and flaws. Meta confirmed the vulnerability and, according to the reporting, pushed an emergency hotfix on a Friday night that disabled or heavily restricted the AI conversational flows with direct write access to the email-binding and password-reset APIs — closing the specific path the attackers had used.
What a 'Confused Deputy' Attack Is
The term predates AI by decades, and understanding it is the key to this story. A 'confused deputy' is a privileged component that is tricked by a less-privileged party into misusing the authority it legitimately holds. The classic textbook example is a compiler with permission to write to a protected directory that an unprivileged user fools into overwriting a file it should not. Here, the deputy is Meta's AI support bot. It legitimately holds the power to change an account's recovery email — that is part of helping users who are locked out — but it lacked a robust way to confirm that the person in the chat was the rightful owner. The attacker did not break the bot's permissions; the attacker borrowed them, by asking the bot to do something it was allowed to do, on behalf of someone it failed to authenticate. That is why no exploit code was required: the vulnerability was in the bot's judgment about who it was serving, not in any line of code an attacker had to subvert.
Social-Engineering the Agent, Not the Human
Account-takeover via support-desk social engineering is not new — convincing a human agent to reset an account has been a staple of high-profile hijackings for years. What is new, and what makes this the editorial signal, is that the deputy is now an AI agent wired directly into the account-recovery APIs. An AI support flow optimizes for resolving the user's request smoothly, and absent strong identity checks, 'please move my account to this email' is exactly the kind of request it is built to fulfill. This is the second documented 'confused deputy' problem to surface in Meta's AI this year — earlier coverage examined a variant that leaked internal data rather than enabling account takeover — and it sits alongside the broader run of AI-as-trust-surface incidents The CyberSignal has tracked, from the SymJack campaign abusing fake AI-assistant installers and chatbot trust to the defensive build-out in Google's AI threat-defense launch and the offensive use of AI tooling in the GreyVibe campaign that wove ChatGPT and Gemini into a likely-Russian operation. The throughline: as AI agents gain the authority to act, they inherit the social-engineering target that used to sit on human agents.
A Consumer-Identity Recovery Flaw, in Familiar Company
Strip away the AI novelty and the underlying failure is an account-recovery one — the same class of weakness behind a run of consumer-identity incidents this cycle. It rhymes with the Signal recovery-key phishing wave that targeted the account-recovery construct, the Dashlane brute-force attack against a new-device token flow, and the Tycoon2FA phishing kit that defeats multi-factor authentication — each one an attack on the mechanism that is supposed to let a legitimate user, and only a legitimate user, regain control. The recovery path is perennially the soft underbelly of account security because it must, by design, work for someone who has lost their normal credentials. Bolting an AI agent onto that path without hardening its identity checks widened the soft spot rather than narrowing it.
Scope and Impact
The immediate scope is bounded and, per the reporting, closed: a set of high-profile Instagram accounts were taken over, Meta confirmed the flaw, and an emergency hotfix restricted the offending AI flows. There is no indication this was a mass campaign against ordinary users rather than a targeted abuse of a newly discovered weakness against prominent handles, and the specific path is reported as remediated. The accounts named — a dormant government handle, a military official's account, a researcher's account — suggest opportunistic targeting of recognizable names rather than a broad sweep.
The wider scope is the one that should worry security leaders, and it is not Instagram-specific. Every platform that has deployed an AI agent capable of changing account state — email, phone number, payment method, recovery contact, password — now carries this exact attack surface. The Meta incident is simply the first high-profile, publicly confirmed account takeover to run through an AI support agent rather than a human one, and the generalizable question for any organization that has shipped such an agent is whether its AI can perform an account-state mutation that a human agent would only do after identity verification.
Response and Attribution
For Instagram users, especially those running brand, executive or public-figure accounts, the practical steps are the familiar account-hardening ones plus heightened vigilance for the active window: audit the account's primary email and recover immediately through Instagram's official flow if it changed without your action, enable app-based (not SMS) two-factor authentication, review trusted devices and active sessions, and route any account-management need through Meta's verified support channels rather than the AI tools. Brand and influencer-management teams should keep a vault of account-ownership evidence — founding email, payment proof, original recovery codes — so a human-assisted recovery can be initiated fast, and should treat any 'verify your identity' prompt arriving through Meta channels with elevated scrutiny during the campaign window.
For product-security leaders at any organization deploying AI customer support, this generalizes into a concrete mandate. Inventory every AI-support workflow that can change account state, and require human-agent verification or strong out-of-band re-authentication before any such change executes — the AI should propose the change, not perform it. Red-team the AI-support surface specifically with social-engineering prompts, because its failure modes differ from a human agent's and need their own threat model. On framing and attribution, no threat actor has been named and the reporting describes opportunistic abuse rather than an organized group; the responsible read is that this is a disclosed-and-patched logic flaw whose value is as a warning to every other AI-support deployment, not as an attribution puzzle.
The CyberSignal Analysis
Signal 01 — AI Customer Support Is a New Account-Takeover Surface
The headline novelty is not that an account got hijacked; it is the path. For the first time at this profile, the deputy that got confused was an AI agent rather than a human support rep, and it was wired directly into the recovery APIs. That is a structural shift worth internalizing: every capability you grant an AI support agent is also a capability an attacker can try to socially engineer out of it, and the agent has no human instinct for 'this request feels wrong.' Organizations racing to deploy AI support should treat any account-state-mutating capability as the highest-risk thing the agent can do, and gate it accordingly. The convenience of letting the bot 'just handle it' is precisely the convenience an attacker exploits.
Signal 02 — The Fix Is Authorization, Not a Better Prompt
It is tempting to read this as a prompt-engineering failure — as if a cleverer system prompt would have stopped the bot from being talked into the email change. That framing is a trap. The real failure was an authorization-design one: the AI flow held direct write access to email-binding and password-reset APIs without a binding check that the requester was the account owner. Meta's hotfix reflects this correctly — it restricted the flows' access to those APIs rather than merely retraining the bot to be more suspicious. The durable lesson for builders is that you cannot prompt your way to authorization. Sensitive, state-changing actions need hard controls — out-of-band verification, human approval, scoped permissions — that hold regardless of how persuasive the conversation gets, because a sufficiently creative request will always eventually talk a model into compliance.
Signal 03 — Recovery Paths Stay the Soft Underbelly
Underneath the AI story is the oldest problem in account security: the recovery path has to work for someone who has lost their credentials, which means it is intrinsically the weakest link, and attackers know it. This incident joins a steady run of 2026 attacks aimed squarely at recovery and re-authentication constructs rather than at primary passwords, because that is where the design tension lives. The takeaway for defenders is to apply the same rigor to recovery flows that they apply to authentication — strong, multi-signal verification before any recovery action, monitoring for anomalous recovery activity, and an assumption that a determined attacker will probe the recovery path first. Adding an AI agent to that path does not change the principle; it just raises the stakes of getting it wrong.
