Hackers compromised over 20,000 Instagram accounts by exploiting a vulnerability in Meta’s AI-powered account support chatbot, and the method required almost no technical skill. The attackers simply asked the chatbot to send account verification codes to their own email addresses instead of the legitimate account owners, and the AI complied.
Meta has now notified all 20,225 affected users, according to reports, which first reported the scope of the breach. The company says it has since patched the vulnerability. The hack itself follows a disturbingly simple pattern: the attacker contacts the AI support bot, requests account access, and provides an email address they control.
The bot processes the request and sends a verification code to the attacker’s address, bypassing the account owner entirely. A screengrab posted on X by user @oracles shows the chatbot offering almost no resistance to the request.
Any human moderator would have immediately flagged this kind of request. That is the core problem. Meta has cut more than 20% of its staff in 2026, actively replacing human support and moderation roles with AI systems. CEO Mark Zuckerberg has repeatedly argued that Meta’s AI tools can match or exceed human performance in these functions. This incident directly challenges that claim.
The deeper vulnerability this exposes goes beyond one patched bug. Conversational AI tools accept requests in an infinite number of phrasings and framings. Blocking one exploit path does not close the door on the next variation.
A bad actor can ask the same underlying question dressed as a roleplay, a hypothetical, a technical test, or a customer service simulation, and the AI may comply with any of them. Meta cannot feasibly anticipate every possible phrasing of a malicious request, which means AI-powered account support will remain structurally more vulnerable than human-staffed alternatives for the foreseeable future.
Meta is investing hundreds of billions of dollars in AI development. This incident raises a direct question about how much of that infrastructure it can safely hand over to systems that lack the contextual judgment human moderators apply instinctively.
