The attack involved manipulating Meta’s AI support tool into resetting account credentials without properly verifying identity.

In some cases, attackers were able to take over accounts linked to the Obama-era White House Instagram page, beauty retailer Sephora, and a senior U.S. Space Force official.

The accounts were not breached through Meta’s core systems. Instead, hackers targeted the chatbot’s decision-making process, using what cybersecurity experts describe as prompt injection techniques, combined with VPN tools to mimic the location of the account holder.

Once inside the recovery flow, attackers reportedly asked the AI to link new email addresses to targeted accounts. The chatbot then sent verification codes to those emails. After that step, password resets followed.

A security researcher familiar with the incident described how quickly access could be lost and regained. Jane Manchun Wong, a former Meta employee whose account was affected, said in a post on X: “Quite concerning,”.

She also reported repeated password reset attempts and a brief lockout before regaining access.

Posts on social media showed users discussing similar takeovers. Some said they were locked out without warning, while others complained about the lack of human support during recovery.

Meta confirmed the issue had been addressed. Andy Stone, a spokesperson for the company, said: “This issue has been resolved and we are securing impacted accounts,”. In a separate response, he said claims that world leaders’ accounts were compromised were “totally false”.

One of the affected accounts linked to the Obama-era White House page briefly posted content before being recovered, according to reports by 404 Media. The page has been inactive since 2017.

Meta introduced the Instagram AI support chatbot in March 2026. It was designed to handle account recovery and reduce reliance on human support, an area where users have long complained about delays and limited access.

However, the incident has drawn attention to the risks of giving automated systems control over sensitive actions. Security specialists say the problem lies in how these tools are authorised.

Brian Westnedge, vice president for alliances and partnerships at cybersecurity firm Red Sift, said: “This is a foundational architecture failure. The model was given privileged actions without privileged access controls.”

He added that the situation reveals the pressure on Meta, which has cut staff while investing heavily in artificial intelligence systems.

Cybersecurity experts have also warned that the issue is not limited to one company. Prompt injection attacks have appeared in other systems since the rise of AI chatbots after 2022.

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said: “The concern isn’t necessarily AI itself, but whether adequate safeguards exist around what the AI is authorised to do.”

Engin Kirda, a professor at Northeastern University, said attackers are now targeting systems rather than individuals. He noted: “In the past, people were targeted by scams. Now, we are seeing agents being targeted by scams.”

Meta shares fell by more than 5% after reports of the breach, as investors are concerned about the company’s AI spending plans, which are expected to reach up to $145 billion.

The company says it has secured affected accounts and patched the vulnerability. It has not provided further technical details on how the exploit was carried out.

Grok 2, built on Musk’s proprietary Grok-1 language model, has been marketed as a less filtered and more “truth-seeking” alternative to tools like ChatGPT or Claude. 

Unlike many rivals, it draws directly from live data on X (formerly Twitter), enabling it to react to breaking news and trending conversations in real time. It also offers multimodal features, producing text, images, and video, and is currently available to X Premium+ subscribers.

By open sourcing the system, developers and researchers will gain direct access to Grok 2’s underlying code and architecture. This would allow them to audit, modify, and build upon the technology. 

Musk framed the decision as part of a consistent release pattern, stating it was “high time” to share the new model with the public. This aligns with a growing industry shift toward open-weight AI models, with Meta’s LLaMA, Mistral, and the GPT-oss series from OpenAI following similar paths.

However, Grok’s looser content restrictions have attracted complaints, with past instances of misleading or offensive responses bringing concern. Opening up its code could amplify risks, including the spread of misinformation or the misuse of the technology in sensitive fields such as medical diagnostics or autonomous systems. 

Grok Imagine—its image and video generator—has already been caught in controversy over its potential to produce explicit content, prompting further debate on the balance between openness and safety.

xAI continues to present Grok as a counterweight to larger AI players like OpenAI, Google, and Anthropic, putting transparency and developer freedom at the forefront. 

Analysts also note that this strategy may strengthen Musk’s business network, opening possibilities for integration across Tesla, SpaceX, Neuralink, and X.