Meta A.I. Bug Lets Hackers Hijack Instagram Accounts Without Passwords

, , , , , , 0

Meta is investigating a security bug in its A.I. assistant that allowed hackers to hijack Instagram accounts, according to a company statement released Tuesday. The flaw, discovered by cybersecurity firm Oligo Security in late May 2026, let attackers send malicious commands through Meta A.I. to reset passwords and disable two-factor authentication on linked Instagram profiles.

How Attackers Used Meta A.I. to Hijack Accounts

The exploit chained together three weaknesses in Meta’s cross-platform integration. First, hackers sent a crafted prompt to Meta A.I. on Messenger or WhatsApp that triggered an account recovery flow. Second, the A.I. assistant improperly validated session tokens between platforms. Third, the system allowed override of 2FA controls without secondary confirmation. A Meta engineer confirmed the bug affected accounts where users had linked Instagram to Meta A.I. services.

Oligo Security researchers estimate the vulnerability existed for approximately 11 weeks before discovery. The firm’s technical analysis showed attackers needed only the target’s phone number or email address to start the takeover process. No user interaction was required beyond the initial message to the A.I. assistant.

Meta’s Response and Patching Timeline

Meta pushed an emergency server-side patch on June 2, 2026, roughly 72 hours after Oligo privately disclosed the bug. The company’s security team rotated all OAuth tokens and forced session sign-outs for affected accounts. Meta said no credit card data or private messages were accessed, though investigators still cannot rule out broader data exposure.

“We fixed a bug in our A.I. assistant that could have allowed account access under specific conditions,” a Meta spokesperson wrote in an email to Tech Nova X. “We recommend users enable login alerts and review active sessions in their Instagram security settings.” The company declined to specify how many accounts were compromised, stating the forensic audit remains ongoing.

What Instagram Users Should Do Now

Security experts recommend three immediate steps for all Instagram users. First, check account login activity for unfamiliar devices or locations. Second, reset your Instagram password even if your account shows no suspicious activity. Third, confirm that recovery email addresses and phone numbers are still correct. Meta also suggests unlinking and re-linking Instagram to Meta A.I. services through the Accounts Center.

Oligo Security plans to publish a detailed technical post-mortem next week, pending Meta’s approval of the disclosure timeline. The firm’s CEO told Tech Nova X that similar cross-service authentication flaws exist across the industry, not just at Meta. Instagram has over 2 billion monthly active users, roughly 40% of whom have linked their accounts to Meta’s A.I. assistant since its wide release in early 2025.

The incident follows a string of A.I.-related security concerns. Last month, Google patched a comparable issue with its AI dictation tools, as documented in a recent review of voice transcription accuracy. Security researchers continue to warn that voice and chat-based A.I. interfaces introduce authentication vulnerabilities that traditional web apps never faced.

Frequently Asked Questions

How to stop Meta AI bug from hijacking my Instagram?

Enable two-factor authentication and regularly update your Instagram app to patch this Meta AI vulnerability. Avoid clicking suspicious links even from contacts, as the bug bypasses password requirements.

What is the Meta AI zero-click Instagram hijacking vulnerability?

This is a security flaw in Meta's AI-powered features that allows hackers to take over Instagram accounts without needing passwords. By exploiting the AI system, attackers can execute a zero-click attack, gaining full account access simply through a malicious message.

Can someone hack my Instagram without password using Meta AI?

Yes, this bug enables password-less account hijacking through Meta's AI. Even with a strong password, your account could be compromised if you interact with a crafted payload or message.

What tools are used in Meta AI Instagram account hijacking attacks?

Attackers leverage custom scripts and AI manipulation frameworks to exploit the vulnerability. No specific public tool is known, but the attack vector often involves crafted media or chat interactions that trigger the bug.

Is two-factor authentication enough against Meta AI password bypass?

Two-factor authentication adds a barrier, but this bug may bypass both password and 2FA if it exploits session tokens or AI trust. For full protection, avoid unknown messages and keep apps updated until Meta patches the flaw.