Over the weekend somebody posted from the Obama-era White House Instagram account. It had been silent since January 2017. Whoever did it never had the password and never touched the email the account was tied to. They asked Meta’s support bot to let them in, and it did.
The steps, reconstructed from public reporting, are almost insultingly short. Connect through a VPN so your address sits near the target’s home city, enough to clear Instagram’s automated location check. Open a chat with the Meta AI Support Assistant. Ask it to add a new email, yours, to the target’s account. The bot mails a verification code to your address. Paste the code back. The bot shows you a Reset Password button. Set a new password. The owner is locked out, and none of it required anything that belonged to them.
It is tempting to file this under prompt injection and move on, because that is the scary-sounding category and there is a real version of it. But nobody had to be clever. They asked in plain language and the bot helped. The model did not malfunction. It did the exact thing a support agent is built to do, which is take the request at face value and reduce friction. The failure sits a layer down: the bot could add an email and trigger a reset, and nothing in front of it decided whether the person in the chat was allowed to ask.
I say everywhere else that AI is the how, not the headline. It writes the Terraform, drills the rollback, takes six weeks of migration down to two. That is the right seat for it: the delivery path, where it does the work and a human signs off. This weekend was the other half of the sentence. AI is the how, not the trust boundary.
An LLM is a text engine tuned to be helpful and easy to persuade. That is the worst possible property to put on an authorization decision, which is the one thing supposed to be unmoved by how nicely you ask. You can prove someone controls an email address. You cannot prove a sentence is authorized. So when the thing deciding who gets in is also the thing trained to want to say yes, nothing in front of it was actually checking whether the request was allowed.
This is a migration failure even though nobody migrated anything that weekend. Instagram’s account recovery was built years ago on one guarantee: to reset the password you must control the registered email. That single fact did the security work. Then a newer layer landed on top, an AI support tier meant to cut ticket volume, and it could add an email to an account on a user’s behalf. The old guarantee quietly stopped holding. Controlling the registered email no longer gated the reset, because now the bot would register one for you. Nobody went back and checked the old boundary against the new capability.
That is the failure I look for on every cut, and it almost never announces itself. A control that was load-bearing in the old design goes decorative in the new one, and everything looks fine until someone leans on the part that stopped holding weight. When you bolt a modern layer onto a legacy flow, working is not the same as safe. The thing to find is what invariant the old design was resting on, and whether the new path still holds it up.
The most deflating detail is that multi-factor authentication stopped this cold. Not a hardware key. Plain SMS codes were enough. The slickest account takeover of the year, full control on a billion-user platform with no credentials, was shut out by the most boring control there is, for everyone who had bothered to switch it on. The identity layer is the perimeter now. It held for the people who spent thirty seconds turning MFA on.
Meta patched the flaw inside a day. I logged it on the advisory timeline with the year’s other identity-perimeter incidents, because that is the column it belongs in. Not a model problem. An access-control problem that happened to run through a model.
Paraphrased from public reporting, which is still firming up. Check the primary source before quoting it in a postmortem. Sources: Krebs on Security, TechCrunch.