Meta's AI chatbot was tricked into handing over high-profile Instagram accounts without proper identity checks, exposing a major security gap as companies deploy AI-powered support systems.

What happened: Attackers manipulated Meta's AI-powered support chatbot to gain control of several Instagram accounts, including those linked to Sephora, the U.S. Space Force, and an Obama-era White House account. The chatbot was exploited to link accounts to attacker-controlled email addresses and initiate password resets, rather than through a software vulnerability.

Why it matters: Many organizations are now using AI assistants to handle sensitive account actions—password resets, multi-factor authentication recovery, account unlocks—but cybersecurity experts warn that traditional verification methods like security questions or conversational prompts can be manipulated through social engineering. If an AI assistant can be talked into bypassing security, it becomes an automated entry point for attackers.

What to watch: The incident highlights that AI systems should not be trusted to verify identity on their own. Security experts recommend separating identity verification from the support conversation by using trusted authentication methods already registered to users, such as Okta Verify Push, FastPass, FIDO2 security keys, and biometric authentication, only allowing sensitive actions after successful verification.