Instagram users are still reporting account takeovers despite Meta saying it has fixed a security issue that allowed attackers to hijack profiles using its own AI systems.
The exploit reportedly involves attackers using simple text prompts directed at Meta AI to change a target’s associated email address – effectively taking control of accounts and bypassing two-factor authentication. Once the email is swapped, victims are locked out almost instantly.
Meta has said the issue has been “resolved” and that impacted accounts are being secured. However, reports from security researchers and users suggest the problem hasn’t fully gone away. Fresh account takeovers continue even after the supposed fix.
One concern raised by developers is that Meta may have only removed a frontend “Get Support” button. Meanwhile, backend API endpoints connected to Meta AI may still be accessible. In other words, the visible entry point may be gone, but the underlying system could still be reachable through other methods.
Security researcher Jane Manchun Wong has publicly claimed that secondary accounts tied to her profile were compromised even after the fix, despite having two-factor authentication enabled. She also reported that her primary account password was changed without her consent. Similar experiences have been echoed by other users, including Meta’s own Director of Product Management Esther Crawford, according to posts circulating online.
The claims have sparked wider concern across developer and security communities. Some suggest attackers are now using automated scripts and Telegram-based tools to interact with Meta AI and trigger account changes at scale. Reports shared in community channels also suggest stolen accounts are being resold, particularly those with large followings or desirable usernames.
Meta has not detailed the full technical scope of the vulnerability. However, it has acknowledged that some users may still receive password reset prompts or additional verification steps as part of ongoing remediation.
The situation is further complicated by internal restructuring at Meta. The company has undergone major layoffs and a shift toward AI-focused initiatives, with reports suggesting Instagram’s Trust and Safety teams have been significantly reduced in size. While unconfirmed, these claims have intensified scrutiny around how quickly and thoroughly the issue is being handled.
For now, there is no clear confirmation that the exploit has been fully closed across all systems. This leaves uncertainty around whether affected users are fully protected, even with standard security measures enabled.
The post Meta claimed it patched the Instagram exploit, but hackers may still be using it appeared first on Trusted Reviews.