Hackers Exploited Meta's Own AI Support Tool to Hijack Celebrity Instagram Accounts

A coordinated group of hackers manipulated Meta's automated customer-support system to gain control of high-profile Instagram accounts belonging to celebrities, influencers, and public figures. The attackers leveraged social engineering techniques against an AI chatbot designed to handle account recovery requests, according to multiple reports from cybersecurity researchers who studied the scheme.

The Anatomy of the Attack

The hackers targeted Meta's support infrastructure by feeding the AI chatbot a series of carefully crafted prompts that mimicked legitimate account-owner requests. By exploiting gaps in the automated verification process, they convinced the system to reset passwords and transfer control of verified accounts to attacker-controlled email addresses. The method required no breach of Meta's core systems — instead, it relied on manipulating the AI into bypassing its own security protocols.

Cybersecurity firm SpiderSilk, which investigated similar campaigns, documented how such attacks work in practice. The firm found that threat actors systematically test automated support systems to identify which request types receive minimal human oversight. Once they map the process, they scale the operation across dozens or hundreds of targets simultaneously.

Pricey Instagram Accounts: A Lucrative Underground Market

The accounts targeted in this scheme were not random users. The hackers focused on verified profiles with large followings — the kind of handles that fetch thousands of dollars on underground marketplaces. A single five-letter Instagram username with a million followers can sell for $5,000 to $50,000, depending on its exact spelling and audience demographics.

These stolen accounts serve multiple purposes once in criminal hands. Some are rebranded and used to promote investment scams or counterfeit goods. Others are stripped of their original usernames and resold to new owners willing to pay premium prices for short, memorable handles. The market operates across forums hosted in jurisdictions that make enforcement difficult for Meta and law enforcement alike.

Why Verified Accounts Command Premium Prices

Instagram's username system creates artificial scarcity. Because the platform prohibits duplicate handles, a short name or a recognizable brand word becomes inherently valuable. Criminals prize verified accounts because the blue checkmark lends credibility to scam posts, making victims more likely to trust fraudulent investment opportunities or phishing links.

The economic logic is straightforward: demand outstrips supply, and the underground market fills the gap. Every time a legitimate user abandons a short username or a brand fails to secure its own name, that handle becomes a commodity. Hackers who accumulate these assets operate like arbitrage traders, buying low through deception and selling high to collectors and scammers.

Meta's Exposure and Investor Concerns

For Meta, the incident raises uncomfortable questions about its automated customer-service infrastructure. The company processes millions of account-recovery requests annually through AI-powered systems, a scale that makes human review of every case impossible. If those systems can be systematically manipulated by patient attackers, the platform's trust model faces structural risk.

Investors have grown increasingly sensitive to platform security headlines. Meta's stock performance depends partly on advertiser confidence that the platform offers a safe environment for brand outreach. High-profile account takeovers — especially those involving celebrities — generate media coverage that reminds corporate marketing departments of the platform's vulnerabilities. If major brands begin questioning their ad spend on Instagram, Meta's revenue projections could face pressure.

The company has not disclosed the total number of accounts compromised in this specific campaign. Meta spokespersons have stated that the company continuously updates its automated systems to counter emerging attack patterns, though they declined to specify which safeguards were bypassed in this case.

Regulatory Pressure Mounts

The incident arrives as regulators in the United States and Europe scrutinize platform companies for inadequate protection of user accounts. The Federal Trade Commission has signaled heightened attention to how social media companies handle account recovery processes, particularly those involving verified users who face elevated targeting from scammers.

Under the European Union's Digital Services Act, platforms with more than 45 million monthly active users in Europe face specific obligations around account security and fraud prevention. Meta falls squarely within that threshold. If investigators determine that the automated support vulnerability enabled widespread account theft, the company could face regulatory action and mandatory security audits.

What to Watch Next

Cybersecurity researchers expect copycat attacks to intensify as the techniques used in this campaign circulate among criminal communities. Several forums already host discussions adapting the method to other platforms with AI-powered support systems. Meta's security team will need to demonstrate measurable improvements in its verification processes to reassure both users and regulators.

The next phase likely involves disclosure of the full scope of the breach. Researchers and journalists are pushing for transparency about which accounts were affected and how long the exploitation window remained open. If evidence emerges that the campaign spanned months before detection, the reputational damage to Meta's security credibility will deepen considerably.