In late May and early June 2026, attackers exploited Meta's newly deployed AI Support Assistant to take over Instagram and Facebook accounts at scale. The attack required no stolen credentials, no phishing links, and no malware. Attackers simply convinced an AI chatbot to hand over the keys.
Meta had recently expanded its AI Support Assistant (announced March 2026) to handle common recovery tasks like password resets, email relinking, and ownership verification. The goal was to reduce reliance on slow human support and provide faster "solutions, not just suggestions." This backfired when attackers discovered the AI could be socially engineered into performing high-privilege actions with minimal barriers.
The attack flow was shockingly simple:
The entire process took minutes. It was demonstrated in videos shared on X and Telegram. High-profile victims included the Obama White House account, Sephora, a U.S. Space Force chief master sergeant, and valuable short usernames sold on underground markets.
Scale: Meta later confirmed approximately 20,225 accounts were affected worldwide. Many were restored, but the incident caused significant reputational damage. Meta patched it over a weekend, disabled vulnerable AI flows, and forced password resets.
The chatbot had authority to perform sensitive actions (email changes, password resets) but lacked robust independent verification of ownership. It relied on conversational trust and the VPN-spoofed location signal rather than multi-factor checks, biometrics, or human escalation.
The AI acted as a privileged intermediary that attackers could manipulate. This is a classic security principle violation: never let a "confused deputy" perform actions on behalf of unverified users. The AI was too compliant and too powerful.
VPNs easily spoofed location; many accounts had loose or inferable location data from public profiles. Meta treated location as a strong verification signal when it was actually trivial to forge.
Meta pushed AI support to scale customer service and reduce costs, but testing missed this social engineering vector. Capabilities (conversational fluency + action-taking) outpaced safety tooling.
This incident highlights systemic challenges as companies deploy agentic AI (systems that can take real-world actions like modifying accounts, not just chat):
Email changes and password resets should require app-based 2FA, device binding, or biometric verification (e.g., selfie video). No single signal (location, conversation) should be sufficient.
The AI should not have direct authority to modify account credentials. Informational support and transactional actions should be handled by separate systems with different approval workflows.
Phrases requesting email changes, password resets, or account modifications should trigger immediate human escalation. Multi-technique scoring (authority + urgency + policy framing) can catch sophisticated social engineering.
Encoded payloads (base64, URL-encoded, hidden in documents) can bypass surface-level filters. The defense must decode and re-scan before processing any recovery request.
Multiple recovery attempts for different accounts from the same IP, or sudden spikes in email-change requests, should trigger automatic throttling and security review.
For high-stakes actions, require two independent verification layers: (1) identity verification that cannot be bypassed by the same channel, and (2) a confirmation step through a separate medium (SMS, app notification, email to original address).
Direct Prompt Injection: Telling the AI to ignore instructions or adopt a new objective. Used in the Chevrolet $1 car incident and the Bing "Sydney" leak.
Indirect Prompt Injection (IDPI): Hiding instructions in documents, images, or web pages that the AI later processes. Used in Google Bard data exfiltration and Microsoft Copilot EchoLeak.
Confused Deputy Attacks: Tricking a privileged intermediary (AI agent, API gateway, automation bot) into performing unauthorized actions on behalf of an attacker.
Encoding Evasion: Wrapping malicious payloads in base64, URL encoding, or steganography to bypass surface-level text filters. The filter sees harmless characters; the decoder sees the attack.