A wave of account takeovers hit Instagram in June 2026 — and the attack was deceptively simple. The hackers needed neither sophisticated malware nor access to internal systems. All it took was writing the right words to Meta's AI chatbot.
Prompt Injection: When Words Are Enough
The attack was built on a well-known but still effective method called prompt injection. The technique involves crafting text input that tricks an AI model into ignoring its original instructions and following the attacker's directives instead. According to the research underlying the reporting, the attackers used Meta's AI support assistant — the tool users normally turn to for help with account issues.
The approach followed a clear pattern:
One example of a phrase used in the attack illustrates its nature: attackers asked the bot to link a new email address to a specified user profile, providing the attacker's own address as the recipient for the confirmation code. The chatbot followed the instruction without verifying who was actually making the request.

Authorization Without a Safety Net
According to security experts, the core problem was not that the chatbot said something wrong — but that it did something wrong with far too much authority.
"The Meta bot verified nothing about who was asking. It just did what it was told — including sending the confirmation code to the attacker's email." — Dan Moore, FusionAuth
Dan Moore, Head of Developer Relations at FusionAuth, told the source material that this exposes a structural weakness in AI agent architectures: the chatbot functioned as both a conversational interface and an authorization mechanism. There was no independent verification layer outside the AI tier that had to be passed before privileged changes were carried out. The bot had write access directly to APIs for password resets and email binding — with no requirement for external approval.
Scale and Victims
Among those affected were accounts linked to the Obama team's former White House profile, a U.S. Space Force representative, and security researcher Jane Manchun Wong, according to the source material. The accounts were traded on black markets, with the combined value estimated at over one million dollars.
Meta's Response
Meta acknowledged the vulnerability after the incident became public and rolled out an emergency update that disabled the affected AI features. The company stated that impacted accounts had been secured, but provided few details about how the attack was detected or how long it had been ongoing.
A Warning Signal for the Entire Industry
The security community views the case as a principally important example of why AI agents must not be granted unlimited execution authority without deterministic security layers in between. Prompt injection is a well-known risk category in AI security, but the incident demonstrates that even major technology companies can deploy AI-driven support systems without adequate attention to authorization controls.
Experts recommend that privileged operations — such as password resets and email changes — should always require verification through channels that are independent of the AI layer itself, regardless of what the user provides in the chat.
