Hackers exploited a critical vulnerability in Meta's AI-powered support system to hijack high-profile Instagram accounts, including the Obama White House account and the U.S. Space Force Chief Master Sergeant's account. The exploit, described by security researchers as "the first proper zero auth password reset" seen in production, allowed attackers to take complete control of accounts without any authentication.
Two-Step Exploit Bypassed All Security Measures
The attack involved a two-step process targeting Meta's automated support system. Attackers only needed the target's username, then used VPNs or proxies positioned in the victim's city to bypass regional security checks. They contacted Meta's support AI claiming the account was compromised and requested verification codes be sent to an attacker-controlled email address.
In the second step, the AI sent reset codes to the attacker's email without verifying the email belonged to the legitimate account holder. The attacker provided the code back, and Meta issued a full password reset link, transferring complete account ownership. The exploit defeated two-factor authentication as the system treated recovery as a legitimate owner reset.
High-Value Accounts Targeted, No Owner Alerts Sent
Victims received no alerts about email or phone changes or login attempts. Victims couldn't reach human support; only automated chat was available. Some accounts required AI-animated identity videos, which could be spoofed with public photos from the target's feed.
Short vanity handles worth hundreds of thousands to millions of dollars were targeted. Black market Telegram groups offered account takeover services at premium rates before the exploit was patched. Security researcher Jane Manchun Wong also reported that her Instagram account was hacked.
MFA Blocked Attacks, Meta Issues Emergency Patch
The hackers stated their exploit failed to work against any accounts that had multi-factor authentication enabled, meaning even basic SMS codes would have blocked the attack. Meta issued an emergency patch the same evening the vulnerability was publicly documented, stating "This issue has been resolved and we are securing impacted accounts."
Key Takeaways
- Hackers exploited Meta's AI support bot to reset passwords without authentication verification
- High-profile accounts compromised included Obama White House and U.S. Space Force Chief Master Sergeant accounts
- Exploit defeated 2FA and sent no alerts to legitimate account owners
- Accounts with any form of MFA enabled were protected from the attack
- Meta issued emergency patch on June 1, 2026, after public disclosure