# AI Bot Vulnerability: How Hackers Briefly Seized High-Profile Instagram Accounts ## Introduction to the Incident The **Instagram** accounts for the **Obama White House** and the Chief Master Sergeant of the **U.S. Space Force** were briefly defaced over the weekend with pro-Iranian images and messages. This incident followed the circulation of instructions on **Telegram** detailing how to exploit **Meta**'s "AI support assistant" bot to reset account passwords. ## The AI Bot Exploit Unveiled On May 31, details emerged across several **Telegram** instant message channels about a critical flaw in **Meta**'s AI bot. The exploit allowed the bot to add an attacker-controlled email address to an existing account as part of its standard password reset flow. A video, purportedly released by pro-Iran hackers on **Telegram**, documented a surprisingly simple method. Attackers would use a VPN to mimic an IP address near the target's usual location, initiate a password reset, and then engage with **Meta**'s AI support assistant. The video demonstrated instructing the bot to link the target account to a new email address. The AI assistant then reportedly sent a one-time code to this new address, granting the attacker the ability to reset the account's password.  ## Impact and Scope The same **Telegram** account that publicized the exploit also shared screenshots of the pro-Iran defacements on the compromised **Instagram** accounts. The hackers claimed to have used this vulnerability to hijack numerous "valuable" (short) **Instagram** account names, alleging a potential resale value exceeding half a million dollars. ## Meta's Response and Resolution While **Meta** has not officially commented on the video's claims, **Andy Stone**, a spokesperson for **Meta**, confirmed via **Twitter/X** that the issue had been resolved and that the company was securing impacted accounts. According to a report by [thecybersecguru.com](https://thecybersecguru.com/news/instagram-meta-ai-vulnerability-account-recovery-exploit/), **Meta** deployed an emergency patch over the weekend. The report clarified that no backend database breach occurred, indicating the vulnerability was specific to the AI bot's interaction logic rather than a core system compromise. **thecybersecguru.com** highlighted the challenge of **Instagram**'s notoriously poor human support infrastructure. They suggested **Meta**'s AI assistant was intended to streamline common recovery workflows, such as relinking lost emails or triggering password resets, but inadvertently introduced a new attack vector. ## Expert Perspective on AI Security **Ian Goldin**, a threat researcher at **Lumen's Black Lotus Labs**, emphasized that the increased reliance on AI chatbots for sensitive tasks is pushing security into uncharted territory. Goldin drew parallels between human customer support agents and AI bots, noting that both can be susceptible to social engineering or trickery. "AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks," Goldin stated. ## Protecting Your Accounts This incident underscores the critical importance of robust multi-factor authentication (MFA). The hackers behind the **Telegram** video explicitly stated that their exploit failed against any accounts with MFA enabled. Users are strongly advised to enable the most secure forms of MFA available, such as passkeys or security keys. Even less robust MFA methods, like one-time codes sent via SMS, would have likely prevented this specific exploit.