The attack involved manipulating Meta’s AI support tool into resetting account credentials without properly verifying identity.

In some cases, attackers were able to take over accounts linked to the Obama-era White House Instagram page, beauty retailer Sephora, and a senior U.S. Space Force official.

The accounts were not breached through Meta’s core systems. Instead, hackers targeted the chatbot’s decision-making process, using what cybersecurity experts describe as prompt injection techniques, combined with VPN tools to mimic the location of the account holder.

Once inside the recovery flow, attackers reportedly asked the AI to link new email addresses to targeted accounts. The chatbot then sent verification codes to those emails. After that step, password resets followed.

A security researcher familiar with the incident described how quickly access could be lost and regained. Jane Manchun Wong, a former Meta employee whose account was affected, said in a post on X: “Quite concerning,”.

She also reported repeated password reset attempts and a brief lockout before regaining access.

Posts on social media showed users discussing similar takeovers. Some said they were locked out without warning, while others complained about the lack of human support during recovery.

Meta confirmed the issue had been addressed. Andy Stone, a spokesperson for the company, said: “This issue has been resolved and we are securing impacted accounts,”. In a separate response, he said claims that world leaders’ accounts were compromised were “totally false”.

One of the affected accounts linked to the Obama-era White House page briefly posted content before being recovered, according to reports by 404 Media. The page has been inactive since 2017.

Meta introduced the Instagram AI support chatbot in March 2026. It was designed to handle account recovery and reduce reliance on human support, an area where users have long complained about delays and limited access.

However, the incident has drawn attention to the risks of giving automated systems control over sensitive actions. Security specialists say the problem lies in how these tools are authorised.

Brian Westnedge, vice president for alliances and partnerships at cybersecurity firm Red Sift, said: “This is a foundational architecture failure. The model was given privileged actions without privileged access controls.”

He added that the situation reveals the pressure on Meta, which has cut staff while investing heavily in artificial intelligence systems.

Cybersecurity experts have also warned that the issue is not limited to one company. Prompt injection attacks have appeared in other systems since the rise of AI chatbots after 2022.

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said: “The concern isn’t necessarily AI itself, but whether adequate safeguards exist around what the AI is authorised to do.”

Engin Kirda, a professor at Northeastern University, said attackers are now targeting systems rather than individuals. He noted: “In the past, people were targeted by scams. Now, we are seeing agents being targeted by scams.”

Meta shares fell by more than 5% after reports of the breach, as investors are concerned about the company’s AI spending plans, which are expected to reach up to $145 billion.

The company says it has secured affected accounts and patched the vulnerability. It has not provided further technical details on how the exploit was carried out.

The update focuses on one issue, which is prompt injection. In these attacks, hidden instructions are placed inside content an AI system reads. The goal is to mislead the system into revealing sensitive data or taking actions it should not take.

Lockdown Mode is optional and built for a small group of users who face higher security risks, including executives and security teams in major organisations. Most users will not need it.

When switched on, Lockdown Mode restricts how ChatGPT interacts with external systems. It disables certain tools that attackers could exploit to extract data from conversations or connected applications.

Web browsing is limited to cached content. No live network requests leave OpenAI’s controlled network. Some features are disabled entirely where the company says it cannot guarantee data safety.

The setting is now available for ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare and ChatGPT for Teachers. Workspace administrators can enable it by creating a new role in Workspace Settings. Once activated, it adds tighter limits on top of existing controls.

At the same time, administrators keep granular control. They decide which apps remain available in Lockdown Mode and what actions users can take within those apps. Separately, the Compliance API Logs Platform provides visibility into app usage, shared data and connected sources.

OpenAI said it plans to make Lockdown Mode available to consumer users in the coming months.

The OWASP GenAI Security Project has classified prompt injection as a top vulnerability for large language models. It noted that malicious prompts can alter AI behaviour in unintended ways, even when they appear harmless.

Google’s security team has warned about indirect prompt injections, where hidden instructions are embedded in emails or documents. An AI system may access those sources and leak sensitive data without the user knowing.

Attackers have embedded instructions inside webpages or retrieved documents, causing AI systems to carry out harmful actions. In one case involving Gemini in Google Translate’s Gemini Mode, researchers showed how translation functions could be bypassed to generate dangerous content.

Anthropic recently published findings on prompt injection failure rates. It reported that even advanced models could be breached in certain contexts. In GUI-based systems with extended reasoning enabled, attack success rates exceeded 50% after repeated attempts.

Security researchers have also identified newer forms of attack, including Logic-Layer Prompt Control Injection, which targets deeper parts of AI systems such as persistent memory and retrieval logic.

By restricting live network access and disabling high-risk tools, Lockdown Mode addresses common attack surfaces linked to prompt injection, including browsing and connected apps.

The company said the feature builds on existing safeguards such as sandboxing, monitoring, enforcement, role-based access and audit logs, while adding stricter limits.

Alongside this, OpenAI has standardised “Elevated Risk” labels across ChatGPT, ChatGPT Atlas and Codex. These labels mark features that may introduce additional risk, particularly those involving network access.

For instance, in Codex, developers can grant network access so the system can retrieve documentation or perform actions on the web.

Where that access is enabled, the interface now displays an “Elevated Risk” label explaining what changes, what risks may arise and when such access may be appropriate.

The company said it will continue to review which features carry the label. As security protections improve and risks are reduced, it plans to remove the label from features considered safe for general use.