Attackers exploited a logic flaw in Meta’s AI support chatbot over the weekend of May 31 through June 1, tricking the AI into changing account email addresses and routing verification codes to attacker-controlled addresses — bypassing two-factor authentication without needing to crack it.
How the Confused Deputy Attack Worked
The AI support chatbot had been given elevated backend privileges to modify account settings on behalf of users seeking help. The critical gap was that the chatbot lacked deterministic identity verification: there was no cryptographic check confirming that the person asking it to make account changes was actually the account holder. Attackers asked the chatbot in natural language to transfer account access, and the AI’s probabilistic reasoning made it susceptible to that social engineering.
The attack pattern is a textbook “confused deputy” — a class of security vulnerability in which a system granted authority to act on a principal’s behalf is manipulated into acting against that principal’s interests. In this case, a system designed to help account owners became the mechanism by which those owners were locked out.
Once the chatbot changed the recovery email address, verification codes for two-factor authentication flowed to the attacker-controlled inbox rather than the legitimate account holder. The 2FA mechanism functioned exactly as designed — but it was protecting the attacker’s access, not the original owner’s.
@obamawhitehouse, Sephora, and U.S. Space Force Compromised
The attack affected a range of high-profile accounts. The @obamawhitehouse account was defaced with inflammatory content following compromise. The short-handle accounts @hey and @jowo — valued above $1 million combined on the handle resale market — were taken over. Sephora’s official brand account and the U.S. Space Force official profile were also confirmed compromised during the attack window.
The combination of politically significant accounts, high-value commercial handles, a major consumer brand, and a U.S. military branch profile illustrates that the attacks were not narrowly targeted. The confused deputy flaw was available to any attacker who understood the technique, and the victim set reflects opportunistic exploitation of that broad availability.
Meta’s Emergency Hotfix and Incomplete Propagation
Meta deployed an emergency hotfix on the evening of May 30 — the day before the weekend attack window — disabling conversational AI flows that had direct write access to account management APIs. The patch was intended to sever the pathway attackers were using: an AI conversation leading directly to a backend account modification.
However, attacks continued through the weekend, indicating the hotfix did not propagate fully before additional accounts were compromised. The gap between deploying a fix for a platform of Instagram’s scale and that fix taking effect globally represents an inherent latency that attackers exploited.
The Systemic Architecture Problem
Security researchers examining the attack concluded that the vulnerability was not unique to a specific Meta code path but rooted in how AI systems with conversational interfaces are being integrated into platforms that carry account management capabilities. The Instagram incident exposed a design pattern with implications that extend well beyond Meta’s implementation.
LLMs With Elevated Write Access and No Deterministic Auth
Security researchers identified this incident as a systemic AI architecture failure, not an isolated implementation bug. The confused deputy pattern emerges when any AI system is given elevated write privileges over sensitive resources while relying on probabilistic language understanding — rather than cryptographic or deterministic verification — to confirm that a request is authorized.
An LLM asked “please change my email address” cannot cryptographically verify that the person asking owns the account in question. It can only assess the request in probabilistic terms, and sufficiently crafted natural language prompts can push that probability assessment toward compliance. This is not a flaw that can be patched by improving the model’s reasoning; it is a structural incompatibility between probabilistic AI judgment and the deterministic authentication guarantees that account security requires.
Meta’s Architecture Must Separate AI Intake from Account Authorization
The researchers’ framing points toward an architectural requirement: AI systems given write access to sensitive account or data operations must have hard authentication gates — cryptographic verification, session token validation, or out-of-band confirmation — injected at the point where a sensitive action is about to execute. The AI can handle conversational intake, but the actual account modification must pass through a separate deterministic authorization check that the AI cannot bypass through language alone.
Meta’s response — disabling conversational AI flows with direct write access — amounts to a recognition that the previous architecture could not be made safe without redesign. Restoring AI-assisted account management functionality will require gating every sensitive write operation behind an authentication layer the AI itself cannot satisfy on behalf of a requester.
