The most sophisticated lock is worthless if someone convinces the doorman to hand over the keys. That is the lesson Meta is learning after hackers exploited its AI-powered customer support chatbot to hijack Instagram accounts belonging to celebrities and verified creators, bypassing the two-factor authentication that was supposed to make such takeovers impossible.

The attackers did not crack encryption or find a zero-day exploit. They simply talked their way past Meta's automated defenses, feeding the AI chatbot a sequence of carefully crafted requests that mimicked legitimate account-recovery scenarios. The chatbot, trained to be helpful and to resolve user complaints efficiently, complied—disabling security measures and initiating password resets without the human judgment that might have flagged the requests as suspicious.

The automation trap

Meta, like every major platform, has spent years trying to reduce its reliance on human customer support. The economics are compelling: an AI chatbot can handle thousands of simultaneous conversations at a fraction of the cost of a call center. But the company appears to have granted its support bot permissions that no entry-level human agent would possess—the ability to override account security settings without escalation to a supervisor or secondary verification.

The vulnerability is not unique to Meta. As companies race to deploy AI agents capable of taking real-world actions—booking flights, processing refunds, modifying account settings—they are discovering that helpfulness and security exist in tension. A chatbot optimized to resolve complaints quickly will, by design, be more susceptible to social engineering than one programmed to say no.

Why celebrities, and why now

Verified accounts with large followings are valuable targets for several reasons. They can be ransomed back to their owners, sold to scammers who use the built-in audience for crypto fraud, or simply held hostage for clout. The attackers reportedly focused on accounts with between 500,000 and several million followers—prominent enough to monetize, but not so famous that Meta's trust-and-safety team would notice immediately.

The timing matters too. Meta has been aggressively integrating AI across its products, from content moderation to ad targeting to customer service. The company's AI chatbot, launched in its current form in late 2025, was marketed as a way to reduce response times for account issues. That pitch now looks uncomfortably like a confession: Meta prioritized speed over scrutiny.

The permission problem

At the heart of this breach is a question that will define the next era of AI deployment: what actions should an AI agent be authorized to take without human oversight? The answer, clearly, is not "reset two-factor authentication on a whim." But the same logic applies to AI systems handling medical records, financial transactions, or legal documents. Every permission granted to an AI agent is a permission that can be exploited by someone who understands how the system reasons.

Meta has reportedly suspended the chatbot's ability to modify security settings while it investigates. The company declined to comment on how many accounts were compromised or whether it has notified affected users.

Our take

This breach is embarrassing for Meta, but it should be instructive for everyone building AI agents with real-world capabilities. The problem is not that the chatbot was too stupid—it is that the chatbot was too obedient. Social engineering works because it exploits trust, and Meta built a system that trusted user inputs without verification. The fix is not smarter AI; it is narrower permissions and mandatory human checkpoints for high-stakes actions. Until companies internalize that lesson, their AI assistants will remain their softest targets.