SECURITY & PRIVACY

Hackers Used Meta’s Own AI Chatbot to Steal Instagram Accounts. The Pattern Is Clear.

Sara Voss · Security & Privacy · June 3, 2026

The exploit was stunningly simple. A hacker wanted access to a high-profile Instagram account. They initiated a password reset, opened Meta’s AI-powered support chatbot, and asked it to change the account’s email address to one they controlled. The AI approved the request. No human review. No identity verification. Just a bot handing over the keys.

By the time Meta deployed an emergency patch on May 29, hackers had compromised accounts belonging to the Obama White House archive, Sephora, and numerous celebrities — accounts worth hundreds of thousands of dollars on the gray market Ars Technica reported. Meta confirmed the breach on June 1.

This isn’t an isolated incident. It’s a pattern. And it’s accelerating faster than most people realise.

01 — The Meta AI Breach: What Actually Happened

Here’s the sequence. A hacker targets an Instagram account — let’s say a verified celebrity handle worth six figures on the gray market. They don’t need the password. They don’t need 2FA codes. They just need to approximate the account’s region using a VPN, trigger a password reset, and then ask Meta’s AI support chatbot to change the account’s recovery email to an address they own according to the full technical breakdown by Ars Technica.

The AI bot, designed to streamline customer support, didn’t verify the user’s identity beyond basic regional matching. It sent a verification code to the attacker’s email address and asked them to input it in the chat interface. Once the code was entered, the email was changed. The hacker reset the password. The real account owner was locked out.

The pseudonymous researcher ZachXBT posted on X about how “the Meta AI support is garbage and has lots of access perms which allowed you to reset passwords to any user without 2FA and did not verify who you are.” Researcher Dark Web Informer described the same exploit independently, confirming it had been recently patched. But for the accounts already taken — including the Obama White House archive’s Instagram handle — the damage was done.

02 — The Bigger Picture: AI Is Supercharging Every Attack Vector

The Meta incident is newsworthy because of the names involved. But it’s representative of something much larger: AI is being used as both the weapon and the target, simultaneously, across every layer of the security stack.

Voice cloning scams, which use AI to replicate a person’s voice from just a few seconds of audio, cost Americans $893 million in 2025 alone — and that’s just reported losses CNN reported. A California mother described losing thousands after receiving a call that sounded exactly like her daughter in distress. The FBI confirms that voice cloning, AI-generated phishing emails, deepfake romance scams, and synthetic identity fraud are all accelerating — and the tools to create them are now free and usable by anyone in minutes.

On the corporate side, 87% of customer-facing mobile apps were attacked in 2026, up from 55% in 2022 Digital.ai’s 2026 Application Security Threat Report found. The study attributes the surge directly to AI lowering the technical, time, and cost barriers for attackers. “The barrier to entry is lower and the quality is so much higher than it was three years ago,” Check Point’s Jeremy Fuchs told CyberScoop in their election threat report published Monday.

The Carnival Cruise breach, disclosed last week, exposed personal data on 6 million customers — names, addresses, government-issued ID numbers — after a social engineering attack compromised an employee account. The pattern repeats: AI-generated pretexting creates more convincing lures, and the volume of attacks becomes impossible for human review to match.

03 — Supply Chains Are the New Front Line

On May 18, a compromised version of Nx Console — a Visual Studio Code extension used by thousands of developers — was published to the official marketplace. Within 11 to 18 minutes, attackers exfiltrated credentials and internal source code from approximately 3,800 internal GitHub repositories. The attack vector: a stolen contributor’s GitHub token, used to push a malicious commit and publish the compromised extension.

This is the supply-chain attack model in its most dangerous form: compromise one trusted tool, and you get access to every organisation that uses it. The Nx Console attack followed similar logic to the Mini Shai-Hulud campaign, which compromised the open source library TanStack to breach OpenAI employee machines last week. According to Darktrace, software supply-chain attacks now represent the primary threat shaping the 2026 security landscape.

Meanwhile, the NYC Health and Hospitals breach — disclosed in March but only now showing its full scope — affected 1.8 million patients. Hackers had access to the network for two months, stealing medical records, SSNs, and fingerprint scans. The World Food Programme confirmed on June 2 that a breach of its self-registration application exposed personal data belonging to 600,000 Gaza households — names, ID numbers, mobile numbers, and location data — in what may be the largest breach of humanitarian beneficiary data ever recorded.

04 — What the Verizon DBIR Actually Tells Us

Verizon’s 2026 Data Breach Investigations Report, released this week, contains a statistic that should keep every CISO awake: software vulnerability exploitation now accounts for 31% of all security breaches — overtaking credential theft for the first time. Ransomware now represents 48% of all breaches, up from 44% last year, though payments are declining as more organisations refuse to negotiate.

The most sobering number in the report: only 26% of critical vulnerabilities were fully remediated by organisations in 2025. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them,” Verizon concluded according to the Insurance Journal. The result is a widening gap between the speed at which vulnerabilities are discovered and the speed at which they’re fixed — and AI-powered attackers are exploiting that gap ruthlessly.

Munich Re’s latest cyber risk report projects global cybercrime costs hitting $14 trillion by 2028 — exceeding the combined economic output of Germany, Japan, and India. Governments, manufacturing, and technology companies are the most targeted sectors. IBM’s 2025 data put the average US data breach cost at $10.22 million, with healthcare averaging $7.42 million per incident.

05 — Five Things You Should Do Right Now

The threats are escalating, but the defensive playbook hasn’t changed dramatically. What has changed is the urgency. Here’s what matters, in order of priority:

1. Enable multi-factor authentication everywhere. The Meta breach worked because accounts without 2FA could be reset entirely through the AI chatbot with no secondary verification. MFA would have stopped the attack cold. Use an authenticator app — not SMS — wherever possible.

2. Never trust an automated support chat for account changes. If you’re locked out of an account, insist on speaking to a human. Automated AI support systems are increasingly the weak link — they’re optimised for speed and convenience, not security. The Meta exploit worked specifically because no human reviewed the email change request.

3. Establish a family verification phrase. Voice cloning scams work because a panicked parent hears their child’s voice and acts before thinking. Agree on a code word or phrase that only your family knows. If you receive a distress call, ask for the phrase before taking action. No phrase, no money. Period.

4. Patch aggressively — and automate it. The Verizon DBIR is unambiguous: only 26% of critical vulnerabilities get fixed in time. Turn on automatic updates for everything. If your organisation runs a vulnerability management programme, the data says you need to triage faster and patch harder. Companies that used extensive AI and automation for security reduced their breach lifecycle and saved an average of $1.9 million per incident, according to IBM’s Cost of a Data Breach report.

5. Think before you click — and verify before you send. AI-generated phishing emails, text scams, and deepfake calls have never been more convincing. The FTC warns of a new text scam involving QR codes and fake fines. If something feels urgent or unexpected, verify it through a separate channel. Never scan a QR code from an unsolicited message. Never click a link in an email that creates a sense of panic. The most sophisticated attacks exploit human psychology, not technical flaws — and against AI, our psychology is the last line of defence.