Meta's Support Chatbot Exploited to Hijack Instagram Accounts

A video posted on Telegram showed something troubling: an attacker asking Meta's official support chatbot to change the email address linked to someone else's Instagram account. The chatbot complied. That was enough to start the password recovery process and take control of the account. The Verge reported the case on June 1st, citing the original investigation by 404 Media.

Meta has confirmed the problem and claims it has already been fixed, though it has not specified when the flaw was introduced or how many accounts may have been affected.

What exactly was happening

Meta's support chatbot has access to account management operations to help legitimate users recover access to their profiles. The problem was that, apparently, it did not sufficiently verify whether the person making the request was actually the account owner. An attacker could provide the username of any third-party profile, request an email address change, and the system would process it without requiring robust identity verification.

It's a known pattern in security: when a conversational agent is added as an interface layer over sensitive operations, the validations that were previously implicit in a form or manual workflow can become blurred or outright omitted. The chatbot was, in practice, acting as an unauthenticated proxy for high-privilege actions.

Why it matters beyond Meta

This incident is not just a Meta problem. It's a generic warning for any organization deploying AI agents to automate customer support with access to real data or account actions.

When an LLM can execute operations in backend systems, whether through tools, API calls, or in Anthropic's ecosystem via MCP servers, the security perimeter shifts. It's no longer enough to secure the API endpoint; you must also secure the agent calling it, including how it interprets user instructions and what verifications it requires before executing irreversible or high-impact actions.

In the case of Claude Code and MCP servers, Anthropic has documented this type of risk under the concept of prompt injection and recommends that developers implement explicit validations before an agent calls tools with write or modification capabilities. The Meta incident illustrates what happens when this isn't done properly in production and at scale.

Who should pay attention

For teams building support agents or assistants with access to user accounts, this case is required study material. Specific points to review:

• Principle of least privilege: the agent should only be able to execute actions strictly necessary for its function.
• Identity verification outside the conversational channel: critical changes like email or password should require confirmation through a second channel independent of the chat.
• Logging and auditing: any sensitive action executed by the agent should be recorded with sufficient context to detect anomalous patterns.
• Adversarial testing: before deploying, simulate attacks where a user attempts to operate on other accounts.

None of this is new in traditional security. What changes with AI agents is that the attack surface expands and exploitation vectors can be as simple as a sentence in natural language.

The current state

Meta has not published a public postmortem nor specified the actual scope of the problem. The company has simply confirmed that the flaw exists and has already been fixed. It's a response that, at minimum, leaves open questions about how long the exploit was active and whether accounts were compromised before it became public.

---

From our perspective, this case is representative of a structural problem we'll see repeat itself: the pressure to deploy AI agents in customer support is moving faster than the maturity of teams to evaluate their security implications. It's not pessimism, it's what the history of any technology that scales before its risk patterns are well understood tells us.