How Hackers Exploited Meta AI to Hijack Instagram Accounts

On June 5, attackers exploited Meta’s AI-powered customer support system to hijack Instagram accounts, including the dormant Obama White House account, which was used to post pro-Iran messages. The method was alarmingly simple: attackers asked the AI agent to link accounts to email addresses they controlled, and the system complied. While this incident didn’t involve AI as the attacker—unlike high-profile cases such as Anthropic’s Mythos model—it exposed a critical vulnerability in how companies deploy AI agents to handle sensitive tasks like account recovery.

This wasn’t the first warning about AI security risks. Since April, when Anthropic disclosed that its Mythos model was so effective at hacking that it couldn’t be released to the public, experts and regulators have focused on the threat of AI-driven cyberattacks. Yet the Meta incident reveals a different—and equally dangerous—flaw: AI systems themselves can become targets, and their simplicity makes them easy to exploit. “As AI becomes more widely used to automate workflows like account recovery, attackers will increasingly target the AI itself,” said Neil Gong, a professor of electrical and computer engineering at Duke University.

The Meta breach was straightforward. Attackers used VPNs to mask their locations as matching the account owners’ regions, then directly requested email changes from the AI support agent. The system processed the requests without verification—a failure that Gong called “surprising.” “I don’t understand why they didn’t find this simple problem before deployment,” he said. Meta has not publicly explained how the vulnerability was missed, though a spokesperson confirmed on June 8 that the issue had been resolved.

Jessica Ji, a senior research analyst at Georgetown’s Center for Security and Emerging Technology, questioned whether Meta had implemented basic safeguards. “Were there guardrails in place? Did anyone test for this scenario?” she asked. The oversight is striking for a company with Meta’s expertise in AI and cybersecurity. Unlike humans, who might ask security questions before making changes, AI agents prioritize task completion—sometimes to a fault. “It’s almost like an eager student who just wants to please the teacher,” said Somesh Jha, a professor of computer science at the University of Wisconsin–Madison.

Why This Matters: The Broader AI Security Crisis

The Meta incident highlights a fundamental tension in AI deployment: flexibility versus security. AI agents, designed to handle dynamic, real-world interactions, can also be tricked in ways humans wouldn’t be. Their ability to act autonomously—such as changing account settings—means mistakes have real-world consequences. “Security and utility always have a trade-off,” noted Bo Li, a professor of computer science at the University of Illinois Urbana-Champaign. Companies push for capable agents to reduce costs and stay competitive, but rushing deployment without rigorous testing creates risks.

Mitigation strategies exist. Traditional software guardrails—such as requiring security questions before processing sensitive requests—can limit damage. Experts also emphasize red-teaming, a process where developers simulate attacks to uncover vulnerabilities before launch. However, red-teaming is resource-intensive. Defenders must patch multiple potential exploits, while attackers need only find one. “When attackers target something as valuable as a single-word Instagram handle, they’ll invest heavily in finding exploits,” Li said. “Defenders have to spend even more to protect that prize.”

As AI models improve, some vulnerabilities may become easier to detect. More advanced systems might flag suspicious requests, such as changing the email for the Obama White House account. AI can also aid in red-teaming, as seen in Anthropic’s Project Glasswing, where Mythos identified its own vulnerabilities. Yet the core challenge remains: the faster AI evolves, the harder it is to secure it thoroughly. “Everybody wants to be first and push things out without careful scrutiny,” Jha warned. “That’s a dangerous approach.”

What Happens Next: The Race to Secure AI Agents

The Meta breach is unlikely to be an isolated incident. As companies increasingly rely on AI for customer support, fraud detection, and other high-stakes tasks, the attack surface grows. The FBI’s recent warning about hackers posing as IT support staff—using low-tech methods to bypass advanced defenses—underscores how attackers adapt to exploit any weakness. For AI agents, the stakes are higher: a single oversight can lead to account takeovers, data leaks, or even geopolitical manipulation, as seen with the Obama White House account.

Regulators and industry groups are likely to scrutinize AI deployment more closely, particularly for systems handling sensitive user data. Meta’s silence on the incident’s specifics may fuel calls for transparency in AI security practices. Meanwhile, companies developing AI agents will face pressure to balance speed with security—without sacrificing innovation. The challenge is clear: AI’s potential is immense, but so are the risks if its vulnerabilities aren’t addressed proactively.

For now, the Meta incident serves as a cautionary tale. It wasn’t about a rogue AI wreaking havoc in a sci-fi scenario. It was about a simple, avoidable mistake—one that attackers will exploit as long as companies prioritize deployment over defense.