THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-05-31-F1
CYBER · state actors · 2026-05-31SCOOP 80

Pro-Iranian hackers tricked Meta's AI support bot into handing over high-profile Instagram accounts

Pro-Iranian hackers spent the last weekend of May seizing high-profile Instagram accounts by tricking Meta's AI support assistant into resetting their passwords, Brian Krebs reported.

·FILED ISSUE 2026-05-31·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • On May 31, instructions spread on Telegram showing how to trick Meta's AI support assistant into linking a new email address to a target Instagram account during password reset
  • The bot sent a one-time code to the attacker-supplied email, enabling full account takeover when combined with a VPN IP near the victim's hometown
  • Instagram accounts of the dormant Obama White House, Sephora and a senior US Space Force official were defaced with pro-Iranian imagery over the weekend
  • Meta pushed an emergency patch and Andy Stone said the issue was resolved and impacted accounts were being secured
  • The attack failed against accounts with multifactor authentication enabled, including SMS-based MFA

VERDICT — CONFIRMED

curated-2src confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Pro-Iranian hackers tricked Meta's AI support bot into handing over high-profile Instagram
Krebs on Security

Pro-Iranian hackers spent the last weekend of May seizing high-profile Instagram accounts by tricking Meta's AI support assistant into resetting their passwords, Brian Krebs reported. On May 31, word spread across several Telegram channels that Meta's AI bot would happily add a new email address to an existing account as part of its standard password-reset flow. A video circulated by the attackers showed the technique: connect through a VPN with an IP address in or near the target's usual hometown, request a password reset, then chat with Meta's AI support assistant and ask it to link the account to a new email address — to which the bot dutifully sent a one-time code enabling a full takeover.

Instagram accounts belonging to the dormant Obama White House, beauty retailer Sephora and a senior U.S. Space Force official were briefly defaced with pro-Iranian images and messages before Meta pushed an emergency patch over the weekend. Meta spokesman Andy Stone said the issue had been resolved and that impacted accounts were being secured.

Krebs noted the attack failed against accounts with multifactor authentication enabled, including those protected only by SMS codes.

Why it matters

a widely abused jailbreak of a platform's customer-facing AI agent shows agentic support tools becoming a standalone attack surface — one that bypassed Meta's account-recovery safeguards with the simplicity of a self-serve exploit.

Key facts on file

  • On May 31, instructions spread on Telegram showing how to trick Meta's AI support assistant into linking a new email address to a target Instagram account during password reset
  • The bot sent a one-time code to the attacker-supplied email, enabling full account takeover when combined with a VPN IP near the victim's hometown
  • Instagram accounts of the dormant Obama White House, Sephora and a senior US Space Force official were defaced with pro-Iranian imagery over the weekend
  • Meta pushed an emergency patch and Andy Stone said the issue was resolved and impacted accounts were being secured
  • The attack failed against accounts with multifactor authentication enabled, including SMS-based MFA

PRIMARY SOURCE

Krebs on Security
— Brian Krebs (2026-06-01) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARYKrebs on Security— Brian Krebs (2026-06-01)
CORROB.Malwarebytes Labs— (2026-06-04)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-05-31-f1 · filed 2026-05-31 · https://thedwire.com/wire/cyb-2026-05-31-f1-pro-iranian-hackers-tricked-meta-s-ai-support-bot-into.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026
The Hacker News
CYBER · SCOOP 63

PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026-0257 to KEV

Exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN, moved to the top of defenders' weekend queue on May 30 after CISA added the flaw to its Known Exploited Vulnerabilities catalog late Friday and Rapid7 detailed in-the-wild attacks. The bug, first disclosed by Palo Alto Networks on May

✓ verifiednewSOURCE ↗
READ THE FILE ›
Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers
CYBER · SCOOP 80

Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers employee account

Carnival Corporation disclosed a data breach affecting 5,995,277 people, per a notification filed in Maine, with breach-notice letters sent on or about May 27, 2026. According to Carnival, an attacker used social engineering on April 14, 2026 to trick an employee into granting access to part of the company's IT environment; by April 22, 2

✓ verifiedSOURCE ↗
READ THE FILE ›
Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectr
CYBER · SCOOP 79

Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectrum records, Charter denies CPNI loss

Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data. Per BleepingComputer, threat actors compromised an employee's Microsoft Entra account via voice phishing (vishing) on April 1, 2026, then used that access to export customer records from Charter's Sa

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.