Already a subscriber? Make sure to log into your account before viewing this content. You can access your account by hitting the “login” button on the top right corner. Still unable to see the content after signing in? Make sure your card on file is up-to-date.

Meta confirmed on Monday that hackers broke into a string of high-profile Instagram accounts by exploiting its AI-powered support chatbot.

Getting into it: First reported by 404 Media, the attack worked by tricking Meta’s AI Support Assistant into linking a hacker-controlled email address to a target’s account, after which the bot would send a password-reset code straight to the attacker, letting them lock out the real owner. The clever part, researchers noted, was that the hackers never needed access to the victim’s actual email. Some attackers used a VPN to spoof their location near the target, dodging Meta’s automated protections, and in cases where the bot asked for identity verification, hackers allegedly fed it AI-generated fake selfie videos. Cybersecurity researchers likened it to old-fashioned “social engineering,” and videos circulating on Telegram showed just how easy the whole thing was to pull off.

Those impacted included the Obama-era White House account (still home to more than 2.4 million followers), which was defaced with Iranian propaganda, along with the account of the US Space Force’s chief master sergeant, beauty retailer Sephora, and even a security researcher who studies app features. Pro-Iran hackers took credit for releasing the exploit video, and attackers appeared to zero in on short, valuable usernames (single letters or words) that can fetch a reported half-million dollars or more on the resale market.

Meta says it has since fixed the issue and is working to secure “impacted accounts.”

This all comes as the breach fuels broader alarm about companies handing sensitive security tasks to AI. Meta rolled out the support assistant globally in March, billing it as able to reset passwords and recover accounts, but users said they had no human to turn to when something went wrong, and one prominent engineer argued Instagram’s trust and safety team had been “gutted” by layoffs and AI reassignments, leaving “no incentives” for security.