Hackers exploited a vulnerability in Meta’s AI-powered Instagram recovery system to take over high-profile accounts, including the archived Obama White House Instagram profile, by abusing automated support workflows used to restore access to locked accounts. Meta has since patched the flaw and confirmed that impacted accounts are being secured.
According to researchers and multiple security reports, attackers discovered they could manipulate Meta’s AI support assistant into modifying account recovery details without passing normal verification checks. In some cases, the system allegedly allowed attackers to attach a new email address to a victim’s Instagram account, creating a path to reset passwords and seize control of profiles.
Researchers described the issue as a logic flaw within Meta’s automated recovery workflow rather than a breach of Instagram’s authentication infrastructure. Attackers reportedly did not need passwords, malware, or direct access to Meta systems. Instead, they abused weaknesses in the AI-driven support process itself.
One of the most visible victims was the @obamawhitehouse Instagram account, an archived profile preserving content from the Obama administration. The account briefly displayed unauthorized posts before Meta removed the content and restored access. Reports said some of the posts referenced political and sectarian themes.
Researchers said additional targets included corporate brands, influencer profiles, rare “OG” usernames, and business accounts with large audiences. Videos shared online allegedly demonstrated how attackers could exploit the recovery workflow to gain control of accounts with valuable usernames.
Investigators also found evidence suggesting some attackers used VPN services and spoofed location data to make recovery requests appear more legitimate. In certain cases, the AI assistant reportedly accepted limited account information as sufficient proof of ownership before processing sensitive account changes.
Security researchers noted that the exploit allowed attackers to bypass some two-factor authentication protections because the attack targeted the account recovery process rather than the login system itself. Once recovery information was changed, attackers could reset passwords and lock legitimate users out of their accounts.
Meta confirmed that the vulnerability had been fixed after reports of account takeovers spread online. The company said it was securing affected accounts and disabling the vulnerable recovery behavior but has not disclosed how many users were impacted or how long the flaw remained active before being patched.