Hackers Exploit Meta AI Flaw to Compromise High-Profile Instagram Accounts
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO — Threat actors have successfully compromised multiple high-profile Instagram accounts by exploiting a logic flaw in Meta's AI-powered account recovery assistant, security researchers confirmed on Monday. The attack, which began on June 2, 2026, leveraged a vulnerability known as a 'confused deputy' issue, allowing unauthorized users to bypass standard fraud detection and two-factor authentication protocols.
The vulnerability resides within the automated systems Meta deployed to assist users in regaining access to locked or compromised accounts. The AI assistant, designed to verify identity and facilitate recovery, was manipulated by attackers who tricked the system into granting administrative privileges to malicious actors. By exploiting the logic flaw, the hackers were able to reset passwords and lock out legitimate account owners without triggering security alerts.
Meta has acknowledged the breach and is working to restore access to affected accounts. The company stated that the issue was identified after a surge in unusual recovery requests flagged by internal monitoring systems. Security patches are being deployed across the platform to close the loophole, though the full extent of the compromise remains unclear.
The attack highlights growing concerns over the security of AI-driven tools integrated into critical infrastructure. Unlike traditional hacking methods that rely on brute force or phishing, this exploit took advantage of the AI's decision-making logic. The 'confused deputy' flaw occurs when a system with high privileges is tricked into performing actions on behalf of a user with lower privileges, effectively granting the attacker elevated access.
Several prominent users, including celebrities and public figures, reported losing control of their accounts within hours of the attack. Some accounts were used to post fraudulent messages or promote scams before being locked down. Meta has not disclosed the total number of compromised accounts, citing ongoing investigations.
Cybersecurity experts warn that similar vulnerabilities could exist in other AI-powered systems across the tech industry. The incident underscores the need for rigorous testing of automated decision-making tools, particularly those handling sensitive user data and authentication processes.
Meta has urged users to enable additional security measures, including hardware-based two-factor authentication and backup codes, to protect against future attacks. The company is also reviewing its AI recovery protocols to prevent similar exploits.
As of Monday evening, the situation remains fluid. It is unclear whether the attackers have moved laterally to other Meta platforms or if the exploit has been weaponized for broader campaigns. Meta has not commented on whether any user data beyond account access was exfiltrated during the breach.
The incident marks one of the most significant security failures involving AI systems in recent years, raising questions about the reliability of automated tools in high-stakes environments. As investigations continue, the tech industry faces renewed scrutiny over the integration of artificial intelligence into security-critical functions.