On June 1st, 404 Media reported something that should make every Instagram user pay attention: hackers took over high-profile Instagram accounts by simply asking Meta’s AI support chatbot to hand them over.

No code exploits. No password cracking. No phishing emails.

They opened a support chat, used a VPN to match the account owner’s location, and asked the AI to change the email address on the account. The AI complied. From there, the hackers reset two-factor authentication and had full control.

Who Got Hit

The compromised accounts weren’t small:

• Sephora (major global brand)

• The Chief Master Sergeant of the Space Force (US military)

• Jane Manchun Wong (well-known security researcher)

• Albert Renshaw (developer who owned the handle @albert)

• The archived Barack Obama White House account

Over 100 high-value accounts were hijacked in total before the vulnerability was exposed publicly.

How It Happened

In March 2026, Meta rolled out AI-powered support across all Facebook and Instagram accounts. The AI chatbot was given elevated permissions — including the ability to change account recovery email addresses and reset security settings.

Hackers discovered that the AI had no robust identity verification. If you could match the account owner’s general geographic region with a VPN, the AI would process your request to change the email address. Once the email was changed, the hacker could reset the password and bypass two-factor authentication.

The vulnerability was live from roughly March through early June 2026 — about three months — before 404 Media’s reporting forced Meta’s hand.

Meta VP of communications Andy Stone confirmed the fix was deployed over the weekend of May 31–June 1, 2026.

Why This Matters Beyond Instagram

This is a warning about what happens when companies give AI systems elevated permissions without adequate safeguards.

Meta replaced human support agents with an AI chatbot to save money. That chatbot was given the power to change account credentials — the single most sensitive operation in account security — without proper identity verification.

The AI was socially engineered. Just like a human support agent might be tricked, the AI was tricked. Except an AI doesn’t get suspicious. It doesn’t ask follow-up questions out of instinct. It follows its instructions, and its instructions said: process the request.

The Bug Is Patched. But You Should Still Act Now.

Meta says the vulnerability is fixed. But this flaw existed for three months before anyone caught it publicly. Here’s exactly what to do right now to protect your Instagram account:

1. Change Your Password Today

Make it unique — not reused from any other service. Use a password manager. Minimum 16 characters, random.

2. Switch to Authenticator App 2FA (Not SMS)

SMS-based two-factor authentication is vulnerable to SIM swapping. Switch to an authenticator app like Google Authenticator, Authy, or 1Password’s built-in authenticator.

How: Instagram → Settings → Accounts Center → Password and security → Two-factor authentication → Select your account → Choose “Authentication app.”

3. Check Your Recovery Email and Phone Number

Make sure the email and phone number on your account are yours and current.

How: Instagram → Settings → Accounts Center → Personal details → Check email addresses and phone numbers listed.

4. Review Login Activity

Check if anyone else has accessed your account from an unfamiliar location or device.

How: Instagram → Settings → Accounts Center → Password and security → Where you’re logged in. Remove any sessions you don’t recognize.

5. Turn On Login Alerts

Get notified any time someone logs into your account from a new device.

How: Instagram → Settings → Accounts Center → Password and security → Login alerts → Turn on for all notification methods.

6. Review Trusted Devices

Remove any devices you don’t actively use.

7. Revoke Suspicious Third-Party App Access

Check which apps have access to your Instagram account and remove anything you don’t recognize.

How: Instagram → Settings → Website permissions → Apps and websites.

The 5-Minute Security Audit

If you only have 5 minutes, do this:

1. Change password to something unique and strong (2 min)

2. Switch to authenticator app 2FA if you’re still on SMS (2 min)

3. Check “Where you’re logged in” and remove unfamiliar sessions (1 min)

The Bigger Picture

We’re entering an era where AI systems have real power over our digital lives. They can change our passwords, modify our account settings, and make decisions about our identity — often with less scrutiny than a human agent would apply.

This Meta incident is the first major, publicly documented case of AI support being socially engineered at scale. It won’t be the last.

The best defense is not to trust any single platform with your security. Use strong unique passwords. Use authenticator-based 2FA. Monitor your accounts. And pay attention when stories like this break — because the next vulnerability might not get patched as quickly.

Don’t Miss the Next Security Alert

This is the kind of story that breaks on a Sunday night and affects every single person with an Instagram account. If I hadn’t been tracking this, you might not have seen it until it was too late.

I cover AI security, digital marketing, and the tools that actually protect (or expose) your online presence. When the next vulnerability drops — and there will be a next one — I’ll break it down before the mainstream news even picks it up.

Subscribe free so you never miss a critical alert like this. Your account security shouldn’t depend on whether you happened to scroll past the right post.

Was this useful? Forward it to someone who needs to lock down their Instagram today. Every share helps someone protect their account before the next exploit lands.

Follow me on Instagram @liz.on.the.web for real-time security alerts and AI breakdowns you won’t find anywhere else.

Don’t Miss the Next Security Alert

This is the kind of story that breaks on a Sunday night and affects every single person with an Instagram account. If I hadn’t been tracking this, you might not have seen it until it was too late.

I cover AI security, digital marketing, and the tools that actually protect (or expose) your online presence. When the next vulnerability drops — and there will be a next one — I’ll break it down before the mainstream news even picks it up.

Subscribe free so you never miss a critical alert like this. Your account security shouldn’t depend on whether you happened to scroll past the right post.

Was this useful? Forward it to someone who needs to lock down their Instagram today. Every share helps someone protect their account before the next exploit lands.

Follow me on Instagram @liz.on.the.web for real-time security alerts and AI breakdowns you won’t find anywhere else.On June 1st, 404 Media reported something that should make every Instagram user pay attention: hackers took over high-profile Instagram accounts by simply asking Meta’s AI support chatbot to hand them over.

No code exploits. No password cracking. No phishing emails.

They opened a support chat, used a VPN to match the account owner’s location, and asked the AI to change the email address on the account. The AI complied. From there, the hackers reset two-factor authentication and had full control.

Who Got Hit

The compromised accounts weren’t small:

• Sephora (major global brand)

• The Chief Master Sergeant of the Space Force (US military)

• Jane Manchun Wong (well-known security researcher)

• Albert Renshaw (developer who owned the handle @albert)

• The archived Barack Obama White House account

Over 100 high-value accounts were hijacked in total before the vulnerability was exposed publicly.

How It Happened

In March 2026, Meta rolled out AI-powered support across all Facebook and Instagram accounts. The AI chatbot was given elevated permissions — including the ability to change account recovery email addresses and reset security settings.

Hackers discovered that the AI had no robust identity verification. If you could match the account owner’s general geographic region with a VPN, the AI would process your request to change the email address. Once the email was changed, the hacker could reset the password and bypass two-factor authentication.

The vulnerability was live from roughly March through early June 2026 — about three months — before 404 Media’s reporting forced Meta’s hand.

Meta VP of communications Andy Stone confirmed the fix was deployed over the weekend of May 31–June 1, 2026.

Why This Matters Beyond Instagram

This is a warning about what happens when companies give AI systems elevated permissions without adequate safeguards.

Meta replaced human support agents with an AI chatbot to save money. That chatbot was given the power to change account credentials — the single most sensitive operation in account security — without proper identity verification.

The AI was socially engineered. Just like a human support agent might be tricked, the AI was tricked. Except an AI doesn’t get suspicious. It doesn’t ask follow-up questions out of instinct. It follows its instructions, and its instructions said: process the request.

The Bug Is Patched. But You Should Still Act Now.

Meta says the vulnerability is fixed. But this flaw existed for three months before anyone caught it publicly. Here’s exactly what to do right now to protect your Instagram account:

1. Change Your Password Today

Make it unique — not reused from any other service. Use a password manager. Minimum 16 characters, random.

2. Switch to Authenticator App 2FA (Not SMS)

SMS-based two-factor authentication is vulnerable to SIM swapping. Switch to an authenticator app like Google Authenticator, Authy, or 1Password’s built-in authenticator.

How: Instagram → Settings → Accounts Center → Password and security → Two-factor authentication → Select your account → Choose “Authentication app.”

3. Check Your Recovery Email and Phone Number

Make sure the email and phone number on your account are yours and current.

How: Instagram → Settings → Accounts Center → Personal details → Check email addresses and phone numbers listed.

4. Review Login Activity

Check if anyone else has accessed your account from an unfamiliar location or device.

How: Instagram → Settings → Accounts Center → Password and security → Where you’re logged in. Remove any sessions you don’t recognize.

5. Turn On Login Alerts

Get notified any time someone logs into your account from a new device.

How: Instagram → Settings → Accounts Center → Password and security → Login alerts → Turn on for all notification methods.

6. Review Trusted Devices

Remove any devices you don’t actively use.

7. Revoke Suspicious Third-Party App Access

Check which apps have access to your Instagram account and remove anything you don’t recognize.

How: Instagram → Settings → Website permissions → Apps and websites.

The 5-Minute Security Audit

If you only have 5 minutes, do this:

1. Change password to something unique and strong (2 min)

2. Switch to authenticator app 2FA if you’re still on SMS (2 min)

3. Check “Where you’re logged in” and remove unfamiliar sessions (1 min)

The Bigger Picture

We’re entering an era where AI systems have real power over our digital lives. They can change our passwords, modify our account settings, and make decisions about our identity — often with less scrutiny than a human agent would apply.

This Meta incident is the first major, publicly documented case of AI support being socially engineered at scale. It won’t be the last.

The best defense is not to trust any single platform with your security. Use strong unique passwords. Use authenticator-based 2FA. Monitor your accounts. And pay attention when stories like this break — because the next vulnerability might not get patched as quickly.

Don’t Miss the Next Security Alert

This is the kind of story that breaks on a Sunday night and affects every single person with an Instagram account. If I hadn’t been tracking this, you might not have seen it until it was too late.

I cover AI security, digital marketing, and the tools that actually protect (or expose) your online presence. When the next vulnerability drops — and there will be a next one — I’ll break it down before the mainstream news even picks it up.

Subscribe free so you never miss a critical alert like this. Your account security shouldn’t depend on whether you happened to scroll past the right post.

Was this useful? Forward it to someone who needs to lock down their Instagram today. Every share helps someone protect their account before the next exploit lands.

Follow me on Instagram @liz.on.the.web for real-time security alerts and AI breakdowns you won’t find anywhere else.