Over the first weekend of June, the Instagram account of the Obama White House got defaced with pro-Iranian images. So did the account of the Chief Master Sergeant of the US Space Force. Sephora lost its account. So did security researcher Jane Wong, who watched the password change without her, then sat through a day of reset attempts. "Quite concerning," she noted, with professional understatement.
The attackers didn't find a zero-day. They didn't phish a password. They didn't breach a single database. Meta itself confirmed no back-end system was touched.
They opened a chat with Meta's AI support assistant and asked it for help.
That's it. That's the whole hack.
How the "exploit" worked
There was no exploit, not in the way we usually mean it. The steps, as Krebs on Security documented them, read less like a CVE and more like a customer service transcript.
You connect through a VPN with an IP near the target's usual hometown, enough to avoid tripping Instagram's automated alarms. You request a password reset, then choose to chat with the AI support assistant. You tell the bot to link the account to a new email address you control. The bot dutifully sends a one-time code to that address. You read the code back. The bot resets the password.
New email on the account. Password reset. Account gone.
Here is the part that makes it elegant, in the way only a genuinely broken thing can be elegant: at no point did the attacker need the victim's real email address. TechCrunch confirmed it. Normally, hijacking an account means compromising the email it's tied to. The bot skipped that entire control. It simply added a second email when asked, and a second email is all you need.
No buffer overflow. No injection in the SQL sense. A conversation, conducted entirely through the front door, with the bot holding it open the whole time.
The part that should worry you most
By May 31, this wasn't a clever one-off. It was a recipe.
Pro-Iran hackers posted a video to Telegram walking through the whole thing, and instructions spread across several channels. Once it's a recipe, the economics flip. A human support rep who got burned by a viral exploit learns fast. By the second attempt they're suspicious, by the tenth they've escalated it to security, and the hole closes through sheer accumulated wariness.
The bot does not learn. It will run the exact same play for the ten-thousandth caller as cheerfully as it did for the first. There is nobody home to develop a bad feeling.
That is the real shift. A published exploit against a human-staffed process degrades as the humans wise up. A published exploit against an agent is a permanent, infinitely repeatable, fully automatable capability until someone ships a patch. The attacker scales for free. The defender does not.
The friction was doing the security
Here is the detail that turns this from a Meta story into a story about how we're all building software now.
Instagram's human support is famously terrible. Recovering a locked account can take weeks of back-and-forth with an automated ticketing system. So Meta did the obvious, reasonable, modern thing. Back in March it rolled the AI support assistant out to every account on Facebook and Instagram and gave it the power to reset passwords and perform critical account maintenance. The product page's tagline: "Solutions, not just suggestions."
Read that tagline again, knowing how the weekend went. The whole pitch was that the bot wouldn't just advise you, it would act. It would reach in and change things. That is exactly the property the attackers needed.
Because that friction Meta was so proud to remove was not pure waste. Some of it was doing security work.
The painful, slow, suspicious-by-default recovery process was a speed bump, and speed bumps stop more than just legitimate users in a hurry. Every annoying verification step, every delay, every "we'll get back to you," was also a cost imposed on an attacker. Meta optimised the speed bump away and called it customer experience. The attackers sent a thank-you note in the form of a defaced government account.
Worse, they removed the fallback along with the friction. Users whose accounts were stolen reported there was no way to escalate to a human at all. The bot was the front door, the back door, and the locksmith, and it answered to whoever spoke last.
This is the trap. We keep treating friction as a pure UX defect to be eliminated, and we forget that a good chunk of security is deliberate friction. When you smooth the path for the legitimate user, you smooth it for everyone.
Why an agent is different from a buggy form
You might say this is just a bad password-reset flow, and bad reset flows predate AI by decades. True. But the agent makes it categorically worse.
Traditional access control is a wall of explicit rules. You have the permission or you don't, and the check runs identically every time. You can audit it, test it, fuzz it.
An agent's "judgment" is not a rule. It's a probability distribution over the next token, and it can be talked into compliance the way a junior employee can be talked into anything by someone confident enough. The attack surface is no longer a form with fields you validate. It's natural language, and natural language is unbounded.
You cannot write a regex for "sounds like a legitimate user having a bad day." There is no input you can fully sanitise, because the input is the entire space of things a human can say.
Every privileged action you wire to an agent becomes a social-engineering target that never learns to be careful. Reset a password. Change an email. Issue a refund. Grant access. Each verb the bot can perform is a verb an attacker can perform by asking.
We keep handing bots authority and acting surprised
We do this constantly now. We give a bot real power, wrap it in a friendly interface, and then act astonished when someone uses the power as designed.
It's the same pattern as the bureaucracy of bots: we keep adding agents with real authority and assuming that authority will only ever be exercised the way we pictured. Meta did not intend its support bot to be an account-recovery oracle for anyone with a VPN. But intent is not a control. The bot doesn't know what it was supposed to be for. It only knows what it can do, and it will do that for whoever asks nicely.
And the industry's reflex, as always, is to sell you another bot to watch the first one. We covered that arms race already. A second model supervising the first does not fix this. It just adds one more thing that can be talked into yes.
What to actually do
If you are wiring an agent into anything that touches accounts, money, or access, treat it as a hostile client, because it becomes one the moment an attacker starts typing.
- Never let the bot hold the privileged action directly. Irreversible operations stay behind a deterministic system with hard checks the bot can request but never override. The agent can open a ticket. It cannot reset the password.
- Keep step-up auth out of the conversation. A flow where the bot accepts a verification code the "user" reads back to it is broken by design. One-time codes are bearer tokens. Whoever holds the code wins, and you just taught the bot to ask for it in chat.
- Don't optimise away security friction by accident. Before you smooth a slow, annoying flow, ask what that slowness was costing an attacker. Some speed bumps are load-bearing.
- Rate-limit and log per identity, not per session. Each attack opened a fresh, innocent-looking chat. If your limits reset with the conversation, you have no limits.
- Put a human on the critical path for account-recovery-class actions. Not for everything. For the verbs that end with someone losing their account.
In closing
Meta patched it over the weekend. VP of communications Andy Stone said the issue was resolved and impacted accounts were being secured. No database was breached, they were keen to point out.
Of course no database was breached. You don't need to breach the database when the assistant at the front desk will hand you the keys, every time, for anyone who asks, and never once wonder why.
The attacker didn't break in.
They just asked. And the bot, helpful to the very end, said yes.