The widespread hacking campaign, which involved asking Meta AI's chatbot to take over victims' Instagram accounts, appears to be continuing even after the company said it had resolved the issue. Meanwhile, the company is working hard to secure the targeted accounts and warn victims.
Over the weekend, hackers claimed to have taken over several high-profile Instagram accounts by exploiting Meta's AI support chatbot. At the same time, many people complained on social media that their Instagram accounts had been hacked, some with their own short user profile handles.
TechCrunch has seen instances of allegedly hacked handles featuring common names or country names, and being resold on the gray market for so-called “OG handles,” mostly as collectibles. Other victims of the hack appear to be a dormant White House account for President Obama (which Mehta disputed) and the account of John Bentivegna, chief sergeant of the U.S. Space Force.
These attacks were so simple that calling them hacks may be overstating the people behind them, but at the same time it's not enough to blame the meta for failing to prevent the hijacking of people's accounts through rudimentary attacks.
The hacker simply told Meta's AI chatbot that they were the owner of the target's account and asked the bot to link that person's account to an email they controlled. The chatbot responded to the request and allowed the hacker to reset the target account's password and take control of the account, in some cases locking the victim out. No Meta employees or contractors were involved in the chats.
A screenshot posted to a Telegram group showing a successful takeover. Hacker shared this technique and boasted about hacking Image credit: TechCrunch/Screenshot /
On Monday, Mehta spokesman Andy Stone said: “The actual issue has been resolved.”
But on Tuesday, more Instagram users claimed their accounts had been hacked.
At the same time, TechCrunch reported that discussions were taking place among members of the Telegram channel where the hacking techniques were made public, who claimed they could still exploit Meta's AI chatbot, and who, including at the time of TechCrunch's writing, were apparently promoting the hacked handles for sale. (It is important to note that it is difficult to know for sure whether all these accounts were hacked using the same technique.)
Do you have more information about these Instagram hacks? We'd love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device or network on Signal (+1 917 257 1382), Telegram and Keybase @lorenzofb, or email.
“Some people may receive password reset notifications, and others may be asked security questions when they try to log into their accounts,” Stone said in a later post on X.
Stone told TechCrunch in an email that Meta secured the affected accounts on Monday and then began sending password reset emails. In response to questions from TechCrunch, Stone declined to say how many users were hacked.
Several people have reported that Meta has started notifying users that they are being targeted.
Victims have publicly reported receiving emails from Instagram warning them that “we have detected suspicious activity that suggests your Instagram may have been compromised.” The message also said the company was taking steps to protect accounts and asking users to reset their passwords.
Example of email sent to victims of hacking campaign (shared with TechCrunch). Image credit: TechCrunch /
As noted by 404 Media, Meta announced in March that it was deploying AI to automate support for users, saying its AI-powered chatbot was “designed to resolve account issues from start to finish” and had the ability to “securely reset passwords.” This suggests that chatbots can perform actions that may previously have required human involvement, given their importance.
For years, there has been a thriving market where hackers steal and sell “OG” usernames, which refers to the usernames and handles used by Instagram's earliest users. However, previously, taking over these accounts required more complex strategies, such as phishing victims, hijacking their phone numbers, and bribing telecommunications provider insiders.
Here, the hacker simply asked, and Meta's chatbot dutifully complied.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.