Instagram’s AI-powered support tool was manipulated by hackers to bypass security protocols and access other users’ accounts, the company confirmed late Tuesday. The exploit, which remained active for 72 hours before being patched, allowed attackers to send commands through the chatbot interface that triggered account takeover procedures without user interaction.
The breach was first detected by an independent cybersecurity researcher who reported it to Meta’s bug bounty program on Monday. Within hours, Meta’s engineering team isolated the flaw, disabling the AI chatbot’s ability to execute high-risk actions such as password resets or email changes. Instagram has since reinstated the tool with stricter input validation and session monitoring.
Key Points
- ⚡ Hackers exploited Instagram’s AI chatbot to bypass security and access accounts
- 🛠️ Vulnerability remained open for 72 hours before being patched
- 🔒 Meta disabled risky functions and reinstated the tool with enhanced safeguards
Sources familiar with the investigation say the attackers used a technique known as prompt injection, feeding malformed commands into the chatbot that tricked it into processing unauthorized requests. While Instagram has not disclosed how many accounts were compromised, the company states no evidence of mass exploitation has been found.
| Security Layer | Before Fix | After Fix |
|---|---|---|
| Input Validation | Basic text filtering | Strict command parsing |
| Session Monitoring | None | Real-time anomaly detection |
| High-Risk Actions | Enabled via AI | Disabled by default |
Instagram’s AI support tool, launched in 2023, handles over 300,000 user queries daily. It integrates with backend systems to reset passwords, update profile information, and verify identity through automated dialogue. The recent incident raises concerns about the security of AI-driven customer service tools across major platforms.
📋 By The Numbers
- 300,000+ — Daily user queries handled by Instagram’s AI support tool
- 2023 — Year the AI chatbot was introduced
- 1 — Third-party researcher credited with discovering the flaw
Meta has not named the hackers but says they did not target specific individuals or extract sensitive data. The company is reviewing all AI-powered support tools across its platforms, including Facebook and WhatsApp, for similar vulnerabilities. Users are advised to enable two-factor authentication and review login activity regularly.
💡 Pro Tip
Turn on login alerts in Instagram settings under Security. Any unauthorized access attempt will trigger an immediate email with a link to block the device or change your password.
This is the second major AI-related security incident reported by Meta in 2024. Earlier this year, researchers found vulnerabilities in Meta AI’s image generation tool that allowed it to produce harmful content. The company has since rolled out content moderation filters and added human oversight to AI outputs.
- Enable 2FA — Adds a second layer of security beyond passwords
- Review active sessions — Check Devices and Activity in settings weekly
- Limit AI permissions — Turn off AI-driven password resets unless necessary
The company has not disclosed whether it will compensate affected users or offer identity theft protection services, a move some cybersecurity experts say may be warranted given the potential scale of exposure.
