The attack produced no signal the detection stack could read
Meta's AI support agent, rolled out to every Facebook and Instagram account in March, was built to deliver what its product page called "solutions, not just suggestions" on account security and recovery. It could bind recovery emails, reset passwords, and execute account changes. It was authorized to do all of it.
That authorization is precisely why security operations centers saw nothing.
When an attacker asked the agent to add a new recovery email and send a verification code, the agent complied. Identity and access management systems logged both writes as legitimate transactions from a trusted actor. No failed-authentication spike. No anomalous login. No detection rule to match. The takeover lived entirely inside the trust boundary the stack assumes is safe.
Brian Krebs documented the attack chain, which pro-Iran hackers posted to Telegram on May 31. The attacker used a VPN to appear in the victim's region — sidestepping Instagram's location-based alerts — then asked the support assistant to add a new email. The bot sent the one-time verification code directly to the attacker. The password reset followed. The account owner was locked out in minutes.
Who was affected, and what the confirmed record shows
Confirmed affected accounts include Sephora, U.S. Space Force Chief Master Sergeant John Bentivegna, and researcher Jane Manchun Wong, according to 404 Media. A dormant Obama White House handle briefly displayed a defaced image during the same period; Meta disputes that account was taken through this method, per TechCrunch. Meta also called claims that leaders' accounts were breached "completely false," according to the BBC.
The detail that separated survivors from victims was narrow. Krebs reported the attack failed against any account with multifactor authentication — MFA, meaning a second verification factor required at login — enabled, even SMS-based MFA. The recovery path beside the login door was the gap.
When that path required a selfie video for identity verification, attackers reportedly ran the target's public photos through an AI video generator and submitted the result, which Meta accepted, according to gHacks. The failure, either way, was the recovery door — not the login door MFA guards.
An architecture problem, not a single-vendor problem
Security researchers have a name for this pattern: the confused deputy — a trusted system tricked into spending its privileges on an attacker's behalf. The attacker never deceived the agent in any technical sense. They asked, and the agent had untrusted input, write access, and execution capability simultaneously.
Simon Willison, who coined the term prompt injection, wrote plainly on his blog: "Meta really did wire their support system into an AI chatbot that had the ability to fast-forward through the entire account recovery process. Don't wire your support bot up to allow one-shot account takeovers."
Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, told Krebs on Security that AI bots are as easy to social engineer as the human agents they replace. "AI chatbots create interesting new attack surface, and we're likely going to see a lot more of these kinds of attacks," Goldin said.
The structural issue extends beyond Meta. Any enterprise wiring an agent into a recovery, provisioning, or password-reset flow is shipping the same write access. Authorization cannot live inside the model — a conversational system can be prompted into skipping a check. It has to live outside the model, in a gate the agent cannot reason its way past.
What the audit requires
The accounts that survived Meta's incident already had MFA on the login path. That control was not the gap. The gap was the recovery path running beside it, built to relax standard checks for users who have lost their normal way in — and staffed with an agent holding keys to authentication state.
The fix is not another MFA prompt on the login screen. It is pulling authorization out of the recovery path's honor system: confirm out-of-band to the existing verified contact before any email rebind commits; require a non-email second factor before any reset completes; emit structured decision metadata for every authentication-state write into the SIEM; and ensure no write commits without a policy gate the model does not control.
Meta has not published how many accounts were affected before the patch, according to TechCrunch. The number of enterprises that have audited their own support agents against the same checklist is almost certainly smaller.