Meta Let a Chatbot Reset Your Password. The Hackers Didn’t Even Have to Force It.
A support bot does not need to be malicious to become a security problem. It only needs access to something it should not be allowed to change.
Over the weekend, hackers reportedly used Meta’s AI support chatbot to take over high-profile Instagram accounts, including Sephora’s and a senior U.S. Space Force official’s, by simply asking the bot to change the email address on the target account. [1][2][3] TechCrunch verified that the technique worked: ask the bot to add a new email, receive a verification code at that address, feed it back to the bot, reset the password. [2] No malware. No backend breach. A support workflow doing what it was allowed to do, for the wrong person.
Meta launched the AI support assistant in March, promising users “a solution, not just a suggestion” and the ability to resolve account problems “from start to finish.” [6] That included taking action on requests like password resets and profile changes. A few months later, that action capability became the attack surface.
The permissions are the problem
The easy headline is that Meta’s AI got tricked. True, but not specific enough.
Support is not just customer service. In account recovery, support becomes part of the security system. If a support tool can change an email address or reset a password, it is handling the keys. A chatbot can explain the recovery process, collect information, and route a case. But the decision to change account ownership signals should not depend on whether a model is convinced by a chat.
Some of the friction in account recovery exists for a reason. A process that is too strict locks out real users. A process that is too easy becomes a takeover path. AI did not invent that tradeoff, but it changes the scale. A bad human support decision affects one account. A bad AI support workflow can be repeated quickly, consistently, and at volume. Every attacker gets the same playbook.
OWASP calls this category of risk “excessive agency”: an LLM-based system with enough functionality, permissions, or autonomy to perform damaging actions when its output is manipulated or unexpected. [7] That framing fits better than “AI hallucination.” The model did not say something weird. The support system allowed a sensitive action without strong enough identity checks around it.
Reuters quoted Brian Westnedge of Red Sift: “The model was given privileged actions without privileged access controls.” [3]
That is the whole risk in one sentence.
MFA helps, but users cannot fix this alone
Krebs on Security reported that the Telegram account circulating the method said the exploit did not work against accounts with MFA enabled. [5] Turn it on.
But this should not become another story where all the responsibility gets pushed to users. Users cannot decide what permissions Meta gives its support assistant. Users cannot inspect the account recovery flow or force Meta to separate chat from authorization. The platform owns that architecture.
What platforms should learn from this
AI support is not the problem. AI support with sensitive permissions and weak boundaries is the problem.
Changing a recovery email should require proof that does not come from the chat itself. Password resets should go through channels already attached to the account, not newly added ones. High-risk account changes should use device history, session trust, MFA status, rate limits, and human review when needed.
The model should not be the authority. It can gather details, explain steps, and prepare a request. The actual authorization decision should live in a separate system with hard rules, logging, and clear limits.
The tools should also be narrow. Instead of “change this account email,” the action should be “open an account recovery review.” Instead of “reset this password,” it should be “send reset instructions to a verified recovery method.”
Rate-limiting matters here, too. If a single session requests email changes on multiple unrelated accounts within minutes, that pattern should trigger a hold, not a verification code. A newly added email address should not be usable for password recovery immediately. A cooling period of 24 to 48 hours, with a notification to the original address, would have stopped this attack before it started.
There is a big difference between helping a user through security and bypassing security for anyone who asks nicely.
The lesson
On Monday, Meta said the issue had been fixed. [3] By Tuesday, TechCrunch reported the attacks appeared to have continued, with Telegram groups claiming the technique still worked. Meta was still scrambling to secure affected accounts and alert victims. [4]
Whether or not this specific exploit is fully closed, the larger problem is not limited to Meta. Every company is now wiring conversational AI into support, billing, identity, admin panels, and internal operations. That is where agentic AI becomes real. Not in a demo. In the permissions layer.
A chatbot with sensitive permissions is infrastructure. And infrastructure needs locks the model cannot talk its way around.
Sources
[3] Reuters, “High-profile Instagram AI chatbot breach spotlights security risks of automation”
[4] TechCrunch, “Instagram is alerting users who were targeted by hackers during AI chatbot attacks”
[5] Krebs on Security, “Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts”
[6] Meta Newsroom, “Boosting Your Support and Safety on Meta’s Apps With AI”
[7] OWASP GenAI Security Project, “LLM06:2025 Excessive Agency”