Back to Blog
Cyber AIIdentity SecuritySocial Engineering

Meta's AI Support Bot Shows Why Account Recovery Is a Security Boundary

KrebsOnSecurity reported that attackers allegedly tricked Meta's AI support assistant into resetting Instagram accounts, turning customer support automation into an account takeover path.

Author
ECEvolving Cyber
Published
Jun 1, 2026
Reading Time
6 min read
Illustration of an AI support bot handing over an Instagram account to an attacker
Supporting image: AI support bot and Instagram account-takeover illustration.

On June 1, 2026, KrebsOnSecurity reported that attackers had briefly defaced high-profile Instagram accounts after instructions circulated on Telegram for tricking Meta's AI support assistant into resetting account access. According to Krebs, the claimed flow involved using a VPN near the target's usual location, starting a password reset, choosing the AI support assistant, and persuading the bot to add a new email address to the target account.

The Guardian and TechRadar later added useful context: the affected accounts reportedly included high-profile targets such as the Obama White House archive account, Sephora, and a U.S. Space Force senior enlisted leader. TechRadar also reported that Meta told Maine regulators 20,225 people were affected, and that the underlying problem involved High Touch Support, an AI-assisted Instagram account recovery system that did not properly verify whether a password reset email matched the account's existing email.

Meta said the issue had been resolved and that impacted accounts were being secured. The important lesson is bigger than one social media platform: automated support systems are now part of the authentication surface.

Why this belongs in the blog

Account recovery is often weaker than login. A company may invest heavily in MFA, device checks, and anomaly detection, but then allow support workflows to reset ownership if a requester can sound convincing enough. That risk is not new. Human help desks have been socially engineered for years. What is new is the scale and consistency of AI-assisted support.

An AI bot can reduce friction for real users, but it can also become a privileged workflow executor. If it can add emails, send reset codes, change recovery settings, or validate identity based on weak signals, it needs the same threat modeling as an admin panel.

This is not only a "prompt injection" story. It is a workflow authorization story. If a bot is allowed to change account ownership fields, then the bot is effectively operating with identity-administration privileges. The prompt may be the visible failure, but the deeper failure is that a recovery flow allowed a support interaction to become an ownership transfer.

Design controls that should exist

AI support can be useful for low-risk tasks: explaining policies, gathering initial information, routing tickets, and helping users find settings. It should not be the sole authority for account-control changes.

High-risk recovery actions should require layered controls:

  • Verify that the new recovery email or phone has a trusted relationship to the account.
  • Require proof from an already enrolled factor before changing recovery channels.
  • Block AI-only approval for high-value usernames, verified accounts, brand accounts, and public-sector accounts.
  • Use delayed recovery for sensitive changes, with notifications to existing account channels.
  • Provide human review for risky recovery paths, but protect reviewers with clear checklists and escalation rules.

What teams should learn

  • Treat account recovery as authentication, not customer service.
  • Restrict what AI support systems can change without human review.
  • Require step-up verification before changing email, phone, MFA, passkeys, or recovery methods.
  • Log and alert on recovery changes, especially for high-value accounts.
  • Test AI support workflows with adversarial prompts before launch.
  • Keep MFA enabled on social and brand accounts, preferably passkeys or security keys.

The takeaway

AI support should not be allowed to make identity decisions based only on persuasion and context clues. If a recovery workflow can transfer account control, it is a security boundary.

Sources