The Meta AI Instagram Hack Wasn’t About Authentication. It Was About Authorization.
The Meta AI Instagram Hack Wasn’t About Authentication. It Was About Authorization.
Publish Date: 2026-06-06 12:36:00
Source Domain: www.cybersecurity-insiders.com
When attackers hijacked Instagram accounts early June by tricking Meta’s AI support chatbot, most of the coverage focused on the breach itself. But this incident is a great illustration of a broader and more critical problem: the security industry has invested heavily in controlling what AI says, while largely ignoring what AI is authorized to do.
Meta’s bot verified nothing about who was asking. It just helpfully did what it was told to do — up to and including sending the attacker a confirmation code to make sure a new email address was valid. Until we start applying more mature authorization frameworks to AI agents, we’ll have more incidents like this.
What Actually Happened
The attack itself was straightforward. The attacker spoofed the location of the victim using a VPN, which circumvented certain protections that would have triggered if the attacker’s location was far from the victim’s. The attacker then asked an experimental Meta chatbot to add a new email address to the account. The chatbot emailed verification codes to confirm the new address was valid. It was trying to be helpful! The attacker verified the new email address, was presented with an opportunity to reset the password, and thus gained control of the account.
Most attacks are not one simple hole that can be patched. They string together vulnerabilities to escalate privileges or take over valuable accounts. Based on the attack details that have been publicly shared from this incident, the failures in this vulnerability chain included: relying on IP location to determine if additional security measures are taken; allowing a chatbot to modify a user’s primary email; requiring verification codes only from the new email address and not the old; and treating those verification codes as enough to allow for a password reset, which the chatbot facilitated. Guardrails around any of these would have stopped this version of the attack.
Authentication vs….
