- Meta’s AI support agent could change Instagram account emails with zero identity verification.
- Stolen premium accounts circulated on Telegram channels before Meta patched the flaw Friday.
- Vitalik Buterin linked the incident to a broader case for self-sovereign, locally run AI agents.
Meta’s own AI handed over Instagram accounts to strangers. No passwords. No hacking. Just a prompt.
The Meta AI support assistant, deployed across Instagram to handle account recovery and profile settings, was found to accept email change requests from anyone who knew a target’s username. Security researcher weezerOSINT posted on X Saturday that the exploit was already spreading across Telegram channels with thousands of views.
Screenshot circulating in Telegram channels showing the method used to exploit Meta AI. (Source: @weezerOSINT / X)
The method was simple. An attacker identified a target Instagram username, matched their apparent location through a VPN proxy, then told the AI: link my new email address. The assistant sent a verification code directly to the attacker’s inbox. From there, a standard password reset completed the takeover. The real account owner received no alert. No push notification. No warning email, per reports from
Security researchers ZachXBT and Dark Web Informer were among the first to surface the exploit publicly, revealing that threat actors had focused specifically on premium short-handle accounts such as @hey and @jowo, assets valued collectively above $1 million in underground resale markets.
The Accounts Were Gone Before Meta Even Responded
Stolen accounts moved through private Telegram groups almost immediately. Dark Web Informer, a cybersecurity tracking account, confirmed sales listings circulating in real time before Meta patched anything. The attack required no technical skill beyond knowing the target’s Instagram handle.
As weezerOSINT posted on X: “meta gave their AI way too many permissions and people figured it out. secure your accounts now change your email to something private, enable 2FA, and don’t sleep on this.”
“This lit allows u to pull 90% of IG accounts”
That claim, posted alongside the method screenshot, was circulating in multiple large channels by Saturday morning.
Screenshot of the Meta AI support assistant sending a verification code to an attacker-controlled email address. (Source: Shared via X)
The screenshot of the conversation shows Meta AI confirming it had sent a verification code to an email address the requester supplied. No confirmation of account ownership. No challenge question. No secondary authentication layer. The AI processed the request as valid.
Meta’s official statement after patching read: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems and people’s Instagram accounts remain secure.” The company framed it as a bug. Security researchers pushed back on that framing, noting the real problem was architectural: the AI was given write-level access to identity settings without a verification gate.
Not a Hack. A Design Decision.
This was not a traditional server breach. Meta confirmed no backend systems were compromised. The vulnerability lived in the AI’s decision-making layer, which lacked rate-limiting or identity enforcement before executing account changes. Cyberpress reported the flaw stemmed from “insufficient controls in how the AI processed account recovery requests,” effectively letting anyone initiate a takeover with only a username.
Eleven days before the incident surfaced publicly, Meta had cut roughly 8,000 employees including staff from its integrity and cybersecurity divisions, according to reporting by Neowin, which noted the company had justified the cuts by stating AI tools had made large teams unnecessary. The timing drew immediate attention from security researchers.
The flaw, as documented, is a prompt injection attack. The AI accepted external input and acted on it as a trusted instruction. No exploit code. No server access required.
Vitalik Buterin’s Warning Was Already Written
Ethereum co-founder Vitalik Buterin had published a detailed post in April 2026 laying out what a secure, self-sovereign AI setup looks like. When the Meta incident broke, he pointed directly at it on X.
As Vitalik Buterin posted on X: “This is why: Self-sovereign identity, data and money (so you control your account, not a third-party provider). CROPS AI (so other people cannot do this to your computer).”
“The risky situation is, of course, not that I personally want to scam someone, rather it is that some malicious text that my LLM sees will hack the LLM and cause it to use its control over my email and Signal account to do something malicious.”
Buterin’s April 2026 writeup, published at vitalik.eth.limo, laid out the exact failure mode Meta just demonstrated at scale. He documented that AI agents given broad write access to communication channels or identity systems, without human confirmation layers, become attack surfaces rather than helpers.
“OpenClaw agents are able to modify critical settings including adding new communication channels and modifying its system prompt without requiring confirmation from a human,” Buterin wrote, referencing security criticism of AI agent tools. He described a demonstration in which a malicious webpage directed an agent to download and execute a shell script without the user’s knowledge.
The Meta incident is exactly that failure, applied to 2 billion Instagram users.
How to Protect Your Account Right Now
weezerOSINT, the researcher who first flagged the exploit spreading across channels, listed three immediate steps in a follow-up post on X: change your account email to a private address, enable two-factor authentication, and add a face scan on sign-in as an extra layer.
Meta confirmed the patch was applied late Friday, June 1. Accounts without 2FA were the most exposed. Accounts already taken over before the patch are not automatically restored.
Whether Meta’s fix addresses the underlying architecture or only the specific email-swap pathway remains unclear. The broader question, whether AI support agents should have write-level access to identity settings without a human confirmation step, has not been answered in any public statement from the company.
Buterin’s argument is that they should not. “The new two-factor confirmation is that the two factors are the human and the LLM,” he wrote. “Humans fail sometimes. LLMs fail sometimes too. The hope is that humans and LLMs fail in distinct ways, and so requiring human plus LLM 2-of-2 confirmation to take risky actions is much safer than fully relying on either one alone.”
For Kenyan Instagram users and traders who rely on their accounts for commerce and outreach, the practical advice is unchanged: 2FA on, recovery email private, face scan enabled if available. Meta has patched this specific method. Others will follow.
