More than 20,000 Instagram accounts changed hands without anyone having to guess a password or exploit a flaw in the code. All it took was a conversation with Meta's customer support, which today is an artificial intelligence, and the right words to ask it to swap the email tied to an account.
This isn't worth reading as one more "hackers hit a social network" story. What happened is more uncomfortable. Meta replaced the human support agent with an automated one that holds real power, able to change emails and reset passwords, and found out the hard way that a machine trained to be helpful doesn't know how to be suspicious.
How it worked, step by step
On May 31, instructions with the recipe began circulating on Telegram, along with a video of pro-Iran attackers demonstrating the method. It was simple to the point of being embarrassing:
- use a VPN, a connection that masks your location, with an internet address near the victim's hometown;
- request a password reset for the target account;
- instead of talking to a human, open a chat with Meta's "AI support assistant" and convince it to link a new email to the account;
- receive, at that attacker-controlled email, the one-time code Meta sent to confirm the change.
With the code in hand, the reset-password button was one click away. The account passed to the attacker without Meta's database ever being touched.
The result was a string of high-profile defacements. The Obama-era White House account, now dormant, the one belonging to beauty retailer Sephora, and that of a senior U.S. Space Force official all showed up carrying pro-Iranian images and messages. Along the way, attackers grabbed short, coveted usernames with an alleged resale value above half a million dollars. The case reached the Portuguese press too, a sign that it doesn't stay in a technical niche: anyone with an Instagram account understands what's at stake.
Why this is different from a normal attack
A trained human support agent raises an eyebrow when someone calls in from a strange location asking to change the email on a verified account. They ask for extra proof, escalate, refuse. An artificial intelligence built to resolve and please does exactly what it's asked, with the confidence of something that has never been fooled. The attacker no longer needs to manipulate a person; they manipulate a system with no instinct and no memory of fraud. It's still social engineering, the art of gaining access by tricking whoever is on the other side, except the other side is now a machine that doesn't suspect.
There's one detail that says everything. The database was never breached, there was no intrusion in the classic sense. There was a transfer of ownership the system itself authorized. The account stayed intact and only the owner changed. For anyone who has to reconstruct what happened afterwards, it's the difference between a forced lock and a key handed to the wrong person with a smile.
Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, summed up what's coming: "AI chatbots create interesting new attack surface, and we're likely going to see a lot more of these kinds of attacks."
How to protect yourself
The good news, and the most important lesson, is that the attack failed every time an account had multi-factor authentication switched on, that second code asked for on top of the password. Specifically:
- Turn on multi-factor authentication on every account that offers it, preferably through an authenticator app and not just by SMS.
- Be suspicious of any request to change the email or phone number tied to your account, even if it looks like it comes from official support.
- Check now and then, in your security settings, which emails and phones are linked to your account, and remove anything you don't recognize.
- Never share one-time codes with anyone, not even "customer support." No legitimate support team asks for them.
Companies are putting artificial intelligence on the front line of customer support faster than they're thinking about how to protect it. Meanwhile, the old and boring second factor is still the lock that separated those who lost their account from those who kept it.
Original source: Krebs on Security.
#StaySafe
🙏🖖
