Last week, hackers seized the Instagram accounts of the Obama White House, Sephora, and the Chief Master Sergeant of the U.S. Space Force. They didn’t need a password, they didn’t need the original email address, they didn’t need to break anything. They only needed to ask Meta’s AI support bot very politely — and the bot, eager to help, handed everything over. Wowza. My OpenClaw can do most things, but often tells me it can’t; I have to remind it of its own capabilities. Maybe I need to use Meta’s AI supplicant instead.
The method was almost surprisingly simple. Use a VPN to spoof a location near the target’s hometown, then initiate a password reset. When the option to chat with Meta’s AI support assistant appeared, take it. Then tell the bot to link the account to a new email address. The bot — designed to reduce friction for legitimate users stuck in account-recovery hell which is EVERY day for me — obliged. A one-time code went to the attacker’s inbox. The account was gone. Videos demonstrating the exploit circulated on Telegram; the accounts briefly displayed pro-Iranian imagery before Meta pushed an emergency patch. Some reports suggest the takeovers continued even after that announcement.
No breach of Meta’s backend database, no sophisticated exploit, just a very agreeable AI doing exactly what it was designed to do with no guardrails: help someone who said they needed help.
This Is Not a Story About Hacking
Security researchers call what happened a “confused deputy” problem (can I get that on a t-shirt?), which is the polite way of saying: you gave an AI agent real power over real things, and it had no idea when to say no. It was just doing what was baked in, without any meaningful framework for distinguishing between a locked-out account owner and a pro-Iranian hacker with a Telegram following and a VPN subscription. Bots are like children, they only know what you tell them.
Instagram (Meta, Facebook) has notoriously poor human support infrastructure. The AI was supposed to make this easier. It did. For everyone.
The accounts affected included handles worth more than half a million dollars on the secondary market (short Instagram usernames trade like real estate, which is apparently news to no one except the people who were supposed to be securing them).
Is Every Bot Owner Scared Right Now?
Probably not, most companies have oversight and redundancies for this — Meta is the size of small country, and much like a bloated government entity there’s lots of red tape but no oversight. Every AI product company in the creator and social media space right now is building agents that do things. Not just generate text — actually do things. Post content. Manage accounts. Connect to platforms. Handle workflows that used to require a human to sit down and make a decision.
Tonimus does this, so I want to be direct about what we are and what we aren’t — because this week made the distinction matter.
We Are Not a Chatbot
Meta’s vulnerability came from giving a conversational AI elevated account-management privileges with no meaningful guardrails on who could invoke them. The bot was helpful by design, and helpfulness without authorization is just obedience — to whoever is in the room.
Tonimus.ai is not a support bot. We don’t field inbound requests from strangers, have a chat interface that anyone on the internet can walk up to and make demands of. Our system acts on behalf of one person — you — using credentials you explicitly authorized, inside a workflow you set up. There is no “convince the AI” surface. There is no chatbot for someone to social-engineer.
We’re not smarter (well…), better-resourced, better-staffed, or more sophisticated. What we are is small — and small means the authorization model is simpler, you think very carefully about what the AI can and cannot do unilaterally, and what requires explicit human sign-off.
We can’t afford to get it wrong, and frankly, neither can you.
What This Week Should Have Taught Every Founder
If you are building AI agents with any kind of account access, platform permissions, or the ability to take irreversible actions — measure twice, cut once.
Meta learned this in public, on the accounts of a former president and the United States Space Force. The lesson is available for free, and most are not.
Submissive to the right person, with the right instructions, inside a structure that knows the difference — that’s helpful and refreshing (not something you’d get from a human).
Tonimus.ai — we’re in private beta. Apply for early access.