Meta's AI gave away 20,000 Instagram accounts. Every login was authorised.

Nobody picked a lock. The attackers opened a support chat and asked Meta’s AI to hand over the account, and it did. That’s the whole problem, and it’s why AI agent governance is now a board-level question, not an IT one.

Between 17 April and 31 May 2026, people took over more than 20,000 Instagram accounts by opening Meta’s AI account-recovery chatbot, “High Touch Support”, and asking it, in plain English, to move an account’s recovery email to one they controlled. The bot bound the new address, sent the verification code to the attacker, and offered a “Reset Password” button. The only setup was a VPN to make the request look like it came from the owner’s region, so Instagram’s location checks stayed quiet. 404 Media broke the story; Krebs on Security documented the attack chain.

AI account-takeover chain: the attacker connects through a VPN in the victim’s region, opens the High Touch Support chat, asks the bot to add a new recovery email, the bot sends the verification code to the attacker, and the attacker completes a password reset" loading="lazy">

What happened in the Meta AI Instagram breach?

Meta’s filing with Maine’s Attorney General puts the total at 20,225 accounts. The first attack ran on 17 April; Meta didn’t discover it until 31 May, so the door stood open for roughly six weeks. (A “30 users” figure also circulated, per Krebs; that’s the count for a single jurisdiction in the Maine notice, not the total.)

The targets were what you’d expect once an account becomes currency. Attackers went for short “OG” handles that resell on Telegram for real money, two of them reportedly worth a combined million-plus. They took the dormant Obama White House account, which still carries around 2.4 million followers, along with the account belonging to the US Space Force’s senior enlisted leader. And because Meta had switched off end-to-end encryption for Instagram DMs on 8 May, midway through the window, whoever seized an account could read its message history in plain text. Attackers talked the agent into rebinding the recovery email, and everything else followed from there.

Why didn’t Meta’s security tools see the attack?

Because nothing the agent did looked like an attack. Every action it took was authorised.

The agent had legitimate write access. Binding a recovery email and triggering a password reset were things it was built to do. So when an attacker talked it into doing them, identity and access management logged both as authorised activity. None of the usual alarms fire on that. A request the system was built to honour doesn’t trip a failed-login alert, spike the auth logs, or hand the EDR anything to chew on, and nobody writes a SIEM rule to catch a transaction that is supposed to happen. As VentureBeat’s analysis put it, the takeover lived inside the trust boundary the rest of the stack assumes is safe. The attacker didn’t get past Meta’s security. Meta’s security waved them through, because the agent carried a badge Meta had issued it.

A helpful agent is the problem here. The behaviour Meta bought the bot for, doing what it’s asked, is the same behaviour the attackers used. Simon Willison, who coined the term “prompt injection”, said the obvious thing. Don’t wire a support bot so that one conversation can hand over an account. Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, pointed at the bigger pattern. An AI agent is as easy to social-engineer as the human it replaced, and just as eager to please, and he expects a lot more of this.

What is a non-human identity, and why does your business have them now?

A non-human identity is any actor on your network that holds credentials and permissions but isn’t a person. You already have them, in the form of service accounts and API keys. You already govern the human version of this carefully, because you decide which staff and which vendors get the master keys. An AI agent that can do things, not just answer, is the same kind of privileged actor. Meta’s could rebind emails and reset passwords. Yours might issue refunds, change customer records, or release a payment. The difference is that nobody has decided what it’s allowed to do, or who owns the answer when it does something it shouldn’t.

What is AI agent governance?

AI agent governance is the practice of treating an AI agent as a privileged, non-human identity and applying four controls. It scopes the agent’s permissions to the narrowest set of actions it needs, requires a second factor or human approval for anything irreversible, logs the agent’s activity as its own, and names one accountable owner. Meta’s breach failed all four.

AI agent governance controls applied to an AI agent: scoped permissions, human approval required for irreversible actions, an activity log under the agent’s own identity, and a single named human owner" loading="lazy">

None of these are exotic. They’re the controls you already put around a privileged human account, applied to an actor that doesn’t appear on your org chart. Put a human in the loop for anything irreversible, like rebinding an identity, moving money, or deleting records. Give the agent its own credentials and write detection rules for an agent behaving oddly, not just a human login behaving oddly. Keep a human escalation path; the absence of one is what left Meta’s victims with nowhere to turn for six weeks. The attack also failed against any account with multi-factor authentication, even basic SMS. A control as cheap as an SMS code stopped it cold.

Could this happen to your business, not just Meta’s?

It’s tempting to file this under “big platform, sloppy launch” and move on. That would be a mistake. The conditions that produced it are sitting in a roadmap slide in plenty of Australian businesses right now. Connect an AI agent to a system that can act, and customers get faster answers while the support queue shrinks. Months earlier, Meta had marketed this same assistant as cutting successful account hacks by around 30% (TechCrunch, December 2025). The upside was real enough. It just shipped with an attack surface nobody put on the slide.

Here is a test you can run this week. Find whoever bought or switched on your newest AI tool and ask them one thing.

What is it allowed to do without checking with anyone?

If they can’t answer, that’s the breach, before it happens.

Who owns AI agent governance in your organisation?

Plenty of organisations get this wrong, and the gap is rarely technical. It comes down to ownership. AI capability gets bought by marketing, bolted on by product, and operated by support, and responsibility for the risk falls between every chair.

Two answers feel safe and aren’t. “Our IT provider will catch it” is the answer this whole incident refutes; the security stack did exactly what it was built to do and still saw nothing, because the threat was authorised. “We’ll write an AI policy” produces a document, and a document doesn’t scope a permission or get woken at 2am when an agent goes off the rails.

Plenty of businesses have switched on AI faster than they’ve governed it. The fix is a named owner, not another tool. That’s the gap a Fractional Chief AI Officer fills. The role is one accountable owner for AI strategy, AI policy, and AI risk, on a retainer rather than a full-time hire. Done well, it speeds your AI plans up, because a named owner is what lets a serious operation say yes to AI with confidence while its competitors either freeze or play with live wires. The regulators are already moving the same way. APRA has told boards their AI literacy isn’t good enough, and that kind of expectation rarely stays inside one industry for long. If you’re weighing the role against your current team, here’s when an Australian SMB actually needs a Chief AI Officer.

Meta could absorb 20,000 compromised accounts and a bad week of press. Few businesses your size could. Build the agent on your roadmap, but give it limits and give it an owner before it goes live.