An AI Just Handed Hackers a Stack of Verified Instagram Accounts. Here's How to Keep Yours Off the Next List.

In early June 2026, attackers took over a string of high-profile Instagram accounts — including an Obama-era White House handle and Sephora's — without cracking a single password. They didn't phish a victim. They didn't brute-force anything. According to reports from TechCrunch and others, they opened a chat with Meta's own AI support assistant and asked it to add a new email address to someone else's account.

Here's how it actually worked.

The method. The attackers used a VPN to spoof the target's location, then asked Meta's AI support chatbot to link the account to an email address they controlled. The bot had elevated system permissions and did exactly that — without ever verifying that the person asking was the account's real owner.

The 2FA bypass that wasn't. The AI then sent a security code to the newly linked email — the hacker's. On accounts with nothing else protecting them, that was enough to take over, and some were reportedly resold within hours. But where two-factor authentication was switched on, the system still demanded the real owner's 2FA code — the SMS or authenticator token that only lands on the owner's own phone. The hacker never had it, so the takeover stalled at the final step. That one extra factor was the entire difference.

The fix. Meta patched the flaw quickly, stripping its conversational AI of the ability to arbitrarily change account emails or reset passwords. The hole is closed. The lesson isn't.

That last detail is the whole reason for this post. 2FA didn't fail here — it was the only thing that worked. But "the one thing that saved people" and "all the protection you'll ever need" are not the same sentence, and quietly treating them as the same is exactly the gap the next attack is counting on. So here's how we're rewriting our guidance across the site — and why.

Why "turn on 2FA" is no longer the finish line

For years the standard advice was: use a strong password, turn on two-factor authentication, done. That advice was good. It is no longer enough, for two reasons.

First, most 2FA can be phished in real time. When you get a code by text or read one out of an authenticator app, that code is just a string you type into a box. Modern phishing kits sit invisibly between you and the real site — you log in on what looks like the real page, they capture your password and your code as you type them, and they're inside before the code expires. Security researchers call these adversary-in-the-middle attacks, and they defeat both SMS codes and authenticator-app codes. SMS is worse still, because SIM-swapping lets an attacker redirect your texts to their phone entirely.

Second, the front door isn't the only door. The Instagram takeovers didn't beat anyone's login at all. They walked in through account recovery — the "I lost access, please reset my email" path. That's the soft underbelly of almost every account you own, and as companies hand recovery over to AI chatbots and overworked support queues, it's getting softer.

The fix for both problems is the same idea: use login methods that a fake page literally cannot reuse, and lock down the recovery path behind them.

How to actually protect yourself — strongest to weakest

Think of this as a ladder. Climb as high as each account lets you.

1. Passkeys (the new gold standard). A passkey is a cryptographic key tied to the real website's address. Type it into a lookalike phishing page and nothing happens — the key simply won't work anywhere but the genuine site. That property is called being "phishing-resistant," and it's the thing ordinary 2FA doesn't have. The UK's national cyber agency now recommends passkeys anywhere a service supports them. Instagram, Google, Apple, and Microsoft all support them today. Turn them on.

2. Hardware security keys. A small physical key you tap or plug in — YubiKey (the brand whose name starts with Y), Google Titan, Feitian. Some, like the YubiKey Bio, even read your fingerprint. Same phishing resistance as passkeys, in a device a remote attacker can't touch. This is the right choice for your highest-value accounts: primary email, banking, anything tied to money or your business. Buy two — one to use, one as a backup in a drawer.

3. App-based two-factor (authenticator app). Authy, Google Authenticator, and similar. Meaningfully better than text-message codes and worth using everywhere a key or passkey isn't an option. Just know it can still be phished in real time, so it's a strong middle rung — not the top.

4. The floor: SMS codes and password hygiene. Text-message 2FA is the weakest form of 2FA, but weak 2FA still beats none — keep it on anything that offers nothing better. And the password basics still matter precisely because attackers go after them first:

• Never reuse a password. We know. Everyone does it. One reused password means one breach unlocks every account that shares it. Stop.
• Use a password manager. It generates a different strong password for every site, remembers all of them, and increasingly stores your passkeys too. It is the single highest-leverage thing most people can do, and it makes "never reuse a password" effortless instead of impossible.

2FA and good passwords are the floor you stand on. They are not the ceiling you stop at.

Lock the back door: account recovery

This is the part the Instagram attacks exploited, and the part almost everyone forgets.

• Use a private, dedicated recovery email that isn't published anywhere on your public profile. If attackers can't find the address tied to your account, they can't target it.
• Save your backup codes offline — printed or in your password manager, not in a screenshot in your camera roll.
• Remove SMS as a recovery option wherever the service lets you, since that's the channel SIM-swappers hijack.
• Check active sessions and login alerts regularly. If a stranger triggers a reset, you want to know in seconds, not after the account is sold.

The 10-minute version

1. Turn on passkeys for every account that supports them.
2. Put a hardware security key on your email, bank, and business logins.
3. Switch any SMS 2FA you can to an authenticator app — or better, a passkey.
4. Move every password into a password manager and let it kill the duplicates.
5. Set a private recovery email and store your backup codes somewhere offline.

Scammers are no longer betting on cracking your password. They're betting on talking their way past whatever stands behind it — a support agent, a recovery form, or, now, a chatbot that was just trying to be helpful. Build accounts that don't reward a good sob story.

Real banks don't text you a login code and ask you to read it back. Real support doesn't reset your email because someone asked nicely. And real security doesn't stop at "I turned on 2FA."

---

Sources: Reporting on the Meta AI support-bot vulnerability from NeuralTrust, CNET, Cypro, MEGA, and SafeState.