Meta's AI support agent allows Instagram account takeover

A flaw in the AI support agent that Meta is testing on Instagram allows an attacker to take control of any affected account within minutes. No sophisticated engineering required: simply use a VPN near the target's region, ask the agent to send a code to an arbitrary email address, and forward that code back to it. The agent responds with a fully functional password reset link.

The disclosure came on May 31, 2026 via Hacker News, where the author notes that the exploit had been circulating in private Telegram channels for at least several days and over 100 high-profile accounts had already been compromised before the alert reached the public community.

How the attack works

The attack flow, as described by the thread author, is as follows:

1. Connect to a VPN or proxy with an exit point near the geographic region of the target account.
2. Start a conversation with Instagram's AI support agent.
3. Request that the system send a verification code to an email address controlled by the attacker.
4. Receive the code and provide it to the agent.
5. The agent delivers a valid password reset link.

None of these steps requires prior account access or specialized technical knowledge. Approximate geolocation acts as the only friction point, and a VPN removes it without effort.

Why this is a design problem, not just a bug

What makes this case especially relevant for those working with AI agents is that the flaw does not lie in prompt injection or an elaborate jailbreak. The agent simply executes a support flow without verifying that the person on the other end has any prior relationship with the account. Authentication is delegated to the agent itself, which accepts as valid the code it has sent to an address it has not verified.

It is a direct reminder of something the AI agent industry has discussed for some time: an agent with the ability to act on sensitive resources needs authorization controls that go beyond conversational coherence. An agent "trusting" the flow it has initiated is not the same as the flow being secure.

The attack surface grows in proportion to the agent's permissions. In this case, the permission to issue password reset links without prior identity validation is, in practice, a backdoor.

Who is exposed and what they can do

Meta's AI support feature is not enabled for all users: according to the thread author, it is an A/B test affecting an undetermined percentage of accounts. The problem is that users themselves have no straightforward way of knowing whether their account is part of the test group.

Until Meta publishes an official statement, available defensive measures are limited:

• Enable two-factor authentication with a TOTP app or hardware key, not SMS. An attacker who already has the reset link could still face a second factor if configured properly.
• Review active sessions from Instagram settings and log out any that are unrecognized.
• Watch for unsolicited verification code emails from Instagram, a sign that someone may be attempting the attack on the account.

The thread author explicitly asks Meta to temporarily disable the AI support feature and revert username and account ownership changes from recent days. As of this post's publication, there is no public confirmation that Meta has taken any of these steps.

Our take

That a support agent can issue access credentials without verifying the identity of the requester is the type of error that should be blocked at the design phase, not discovered in production with accounts already compromised. The pace of deploying agents with elevated permissions and the security controls that accompany them do not always move at the same speed, and this case illustrates that quite clearly.