Instagram Users Locked Out After Attackers Allegedly Exploit Meta AI Support System

Several Instagram users have reported losing access to their accounts after attackers allegedly manipulated Meta’s AI-powered support tools into believing they were the legitimate account owners.

The incidents primarily affected owners of rare, highly valuable Instagram usernames, many of whom said they had already enabled security measures such as two-factor authentication (2FA) and completed identity verification through facial recognition checks.

Among the reported victims were accounts previously associated with the Obama White House social media team, app researcher Jane Manchun Wong, and high-profile usernames including @hey and @korn.

According to affected users, recovering stolen accounts proved difficult because Meta’s support system relies heavily on automated AI assistance, with limited access to human support agents. Several users described being trapped in repetitive chatbot interactions that failed to resolve the issue.

Reports circulating online suggest the account takeover process was relatively simple. Attackers allegedly initiated Instagram’s account recovery process and claimed that the account had been compromised. When prompted to verify their identity using a selfie video, they reportedly used publicly available photos from the target’s profile and converted them into animated videos using AI-powered video generation tools.

Critics claim Meta’s automated verification system was unable to reliably distinguish between genuine selfie videos and AI-generated facial animations, allowing attackers to pass identity checks.

Some users also alleged that this method bypassed existing 2FA protections, enabling attackers to gain control of accounts despite additional security measures being enabled.

Security researchers and affected users further suggested that some attackers may have used VPN services to appear as though they were connecting from the victim’s usual geographic location, helping them avoid triggering additional security checks.

Once the attacker successfully changed the account’s associated email address, they could reportedly initiate a password reset request and receive the recovery codes needed to complete the takeover.

The attacks drew particular attention because many of the targeted accounts featured rare usernames. Single-letter and highly sought-after usernames are considered valuable digital assets and can reportedly sell for tens of thousands of dollars on underground marketplaces.

Some online claims suggested that even extremely rare single-letter Instagram accounts had been compromised through an active exploit. However, other reports disputed those claims, arguing that certain usernames may have been obtained through internal access rather than a technical vulnerability. These claims have not been independently verified.

Meta has not released a formal public statement detailing the incidents. However, the company’s Vice President of Communications, Andy Stone, responded to complaints on social media, stating that the issue had been resolved and that affected accounts were being secured.

The incident has renewed concerns about the growing reliance on AI-driven customer support systems, particularly for account recovery processes involving valuable digital assets. Critics argue that automated systems can be vulnerable to manipulation and that users need access to human support channels when security incidents occur.