Attackers found a way to exploit Meta’s AI customer support chatbot to take control of Instagram accounts — without knowing the account password. By using a VPN to make their location appear near the target’s, they could trick the bot into resetting the account’s password and swapping in a new email address, locking the real owner out completely. High-profile accounts including the Obama White House Instagram page and the U.S. Space Force’s official account were among those seized, along with dozens of valuable usernames that criminals sell or hold for ransom.
Meta deployed an emergency patch over the weekend and confirmed that no backend databases were breached — meaning passwords and payment information were not exposed. The attack was purely about gaining account access through the AI support flow, not a database leak. Accounts protected with two-factor authentication were significantly harder to compromise.
How to check if you’re affected
Affected products include the Instagram app on all platforms (iOS, Android, and web). Check whether you can still log into your account normally. If you have been locked out or received unexpected password-reset emails you did not request, your account may have been targeted. To protect yourself: open Instagram → Settings → Accounts Centre → Password and security → Two-factor authentication, and switch it on. Even a simple text-message code makes this kind of attack far more difficult.