A wave of account takeovers hit Instagram in June 2026 — and the attack was deceptively simple. The hackers needed neither sophisticated malware nor access to internal systems. All it took was writing the right words to Meta's AI chatbot.

Prompt Injection: When Words Are Enough

The attack was built on a well-known but still effective method called prompt injection. The technique involves crafting text input that tricks an AI model into ignoring its original instructions and following the attacker's directives instead. According to the research underlying the reporting, the attackers used Meta's AI support assistant — the tool users normally turn to for help with account issues.

The approach followed a clear pattern:

One example of a phrase used in the attack illustrates its nature: attackers asked the bot to link a new email address to a specified user profile, providing the attacker's own address as the recipient for the confirmation code. The chatbot followed the instruction without verifying who was actually making the request.

Hackers Tricked Meta's AI Chatbot into Taking Over 20,000 Instagram Accounts - Bilde 1

Authorization Without a Safety Net

According to security experts, the core problem was not that the chatbot said something wrong — but that it did something wrong with far too much authority.

"The Meta bot verified nothing about who was asking. It just did what it was told — including sending the confirmation code to the attacker's email." — Dan Moore, FusionAuth

Dan Moore, Head of Developer Relations at FusionAuth, told the source material that this exposes a structural weakness in AI agent architectures: the chatbot functioned as both a conversational interface and an authorization mechanism. There was no independent verification layer outside the AI tier that had to be passed before privileged changes were carried out. The bot had write access directly to APIs for password resets and email binding — with no requirement for external approval.

The attack required no technical expertise beyond writing the right sentences.

Scale and Victims

20,000+
Compromised accounts
$1,000,000+
Estimated resale value

Among those affected were accounts linked to the Obama team's former White House profile, a U.S. Space Force representative, and security researcher Jane Manchun Wong, according to the source material. The accounts were traded on black markets, with the combined value estimated at over one million dollars.

Meta's Response

Meta acknowledged the vulnerability after the incident became public and rolled out an emergency update that disabled the affected AI features. The company stated that impacted accounts had been secured, but provided few details about how the attack was detected or how long it had been ongoing.

A Warning Signal for the Entire Industry

The security community views the case as a principally important example of why AI agents must not be granted unlimited execution authority without deterministic security layers in between. Prompt injection is a well-known risk category in AI security, but the incident demonstrates that even major technology companies can deploy AI-driven support systems without adequate attention to authorization controls.

Experts recommend that privileged operations — such as password resets and email changes — should always require verification through channels that are independent of the AI layer itself, regardless of what the user provides in the chat.