Meta’s AI Will Hand Over Your Account If You Ask Nicely
Yesterday, someone discovered that Meta’s AI-powered customer support will happily give your Instagram account to a stranger. All it takes is the account username and a VPN set to your city. Ask the chatbot to send a password reset to an arbitrary email address, and it does. No check on whether that email has ever been associated with the account. No notification to the real owner. Just “here’s your code, boss.”
The account takeover method was so simple that security researcher Sid called it “the most unserious exploit” he’d seen in 15 years. That’s not hyperbole. This isn’t a sophisticated buffer overflow or a phishing campaign. It’s social engineering — but you’re not tricking a human, you’re tricking a language model that Meta decided was ready to handle account recovery.
The flow is two steps:
-
VPN to the victim’s city. Tell Meta’s AI the account is hacked. Request the reset code be sent to an attacker-controlled email.
-
That’s it.
The AI may or may not ask for a video selfie to prove identity. Reports suggest that an AI-generated animation from a public profile photo passes this check easily. Once the code is entered, the attacker gets a fresh password reset link. Full ownership transferred.
2FA doesn’t help. The recovery flow bypasses it entirely because the system treats this as a legitimate owner-triggered reset. Existing sessions get revoked. Email and phone on the account get changed. The real owner is locked out with no notification and no human to escalate to.
High-profile targets got hit — the Obama White House account, the Chief Master Sergeant of the U.S. Space Force. Telegram black markets lit up offering account takeover services at steep rates.
Meta says it’s patched now. Cool. But the fact that this was possible at all tells you everything about how AI is being deployed into customer support pipelines. Organizations are replacing fallible humans with fallible machines, except the machines have no domain knowledge, no skepticism, and no common sense. They don’t know what a normal request looks like because they’ve never worked a support ticket in their life. They just pattern-match and comply.
This is what happens when you optimize for cost reduction over security. You put an LLM on the front line because it’s cheaper than paying people. And it works great — until someone realizes the chatbot was never taught to say “no.”
The lesson isn’t that AI is dangerous. It’s that putting AI in charge of things you don’t fully understand is dangerous. Meta employs thousands of the smartest engineers on the planet. And somewhere in that org chart, someone decided that shipping an LLM-powered support agent with the power to reset accounts — without verifying email ownership, without notifying the account owner, without any human escalation path — was a good idea.
That’s not an AI failure. That’s a judgment failure. And you can’t patch that with a model update.
Sources: Sid’s Blog — The Newest Instagram “Exploit” is the Goofiest I’ve Seen, Hacker News discussion