When Meta announced it was rolling out an AI-powered support assistant across Facebook and Instagram earlier this year, the pitch was frictionless help. The product page promised "solutions, not just suggestions" — the chatbot could reset passwords, swap email addresses, and perform sensitive account-maintenance functions in plain conversational English. What Meta did not advertise, apparently, was that anyone on earth could use those same capabilities to walk out with someone else's account.

The mechanism was almost embarrassingly simple. Attackers would open a support chat with Meta's AI, invoke the password-recovery flow for a target account, and then — rather than selecting the structured options the chatbot presented — type a freeform message asking it to route the verification code to the attacker's own email address. The bot complied. It sent the code. The attacker pasted it back. The chatbot surfaced a "Reset Password" button. Game over.

There was no exploited buffer overflow. No injected shellcode. No dark web zero-day. The chatbot simply lacked any mechanism to verify that the person asking for account access was the person who owned the account. The AI was granted write-level access to Instagram's most sensitive credential infrastructure, and it would do whatever a confident-sounding prompt instructed it to do.

The accounts targeted were not random. Among the confirmed victims: the official Obama White House Instagram page — dormant but historically significant — the Chief Master Sergeant of the United States Space Force, and the beauty retailer Sephora's corporate account. Security researcher ZachXBT flagged the issue publicly on May 31st, writing that Meta's AI support "has lots of access perms which allowed you to reset passwords to any user without 2FA and did not verify who you are." The first documented exploitation videos circulated through Telegram channels — one attributed to a pro-Iran hacking collective — showing the attack executed step-by-step in real time.

The exploit had one documented limit: accounts protected by any form of multi-factor authentication — including even the weakest variant, SMS one-time codes — were reportedly immune. That is a damning footnote. The vast majority of Instagram's roughly two billion users do not have MFA enabled. Meta has nudged users toward MFA for years without making it mandatory. The decision to give its AI support tool direct write access to account email and password systems, without first requiring MFA enrollment as a baseline, was a policy call. Someone at Meta made it.

Meta pushed an emergency hotfix on the Friday night following public exposure — disabling or sharply restricting the conversational flows that had direct write access to email-binding and password-reset APIs. In a statement, the company said: "There was no breach of our systems and people's Instagram accounts remain secure." That framing deserves scrutiny. The accounts of the Space Force's senior enlisted leader and the Obama-era White House were demonstrably seized. Meta's own AI assistant performed the hostile account transfers. Calling that "secure" is a press-relations posture, not a security assessment.

Further muddying the picture: researchers and affected users reported that Meta's "fix" initially amounted to removing a "Get Support" button from the frontend interface — blocking easy access to the chatbot flow without actually closing the underlying API exposure. Meta subsequently confirmed a more substantive patch, but the company's own support ecosystem — which routes distressed users through automated bots with little obvious path to a human being — left hijacking victims with almost no recourse. At least one former Meta security engineer, who identified herself publicly on X, reported having her own Instagram password changed without her knowledge and receiving a barrage of unauthorized password-reset attempts.

This incident belongs in a wider conversation that the technology industry has mostly refused to have honestly. AI agents are being handed administrative access to live systems at a pace that has outrun the identity and authorization frameworks designed to keep those systems safe. The promise of "agentic AI" — bots that do things on your behalf, not just answer questions — is also, structurally, a promise that a sufficiently convincing prompt could do those things on someone else's behalf. Meta is not uniquely reckless here; it is among the first major platforms to discover, publicly and embarrassingly, where that road leads.

The questions that now require direct answers from Meta are precise and technical: What authorization checks, if any, were in place before the chatbot would act on credential-change requests? Were security and trust-and-safety teams consulted before the AI support tool was granted write access to password-reset APIs? And why, given that MFA demonstrably blocked the attack, has the company not made MFA mandatory for accounts before extending AI-assisted account recovery? The press release is already written. The answers are not.