Earlier this year, the Instagram accounts of the Obama White House and the Chief Master Sergeant of the U.S. Space Force were defaced with pro-Iranian images. The cause wasn’t a sophisticated hack or an inside job. It was Meta’s own AI customer support bot, tricked into resetting passwords.
Instructions on how to exploit Meta’s AI assistant began circulating on Telegram. The method was surprisingly simple: use a VPN with an IP address near the target’s location, request a password reset, and then choose to chat with Meta’s AI support bot. The attacker asked the bot to link a new email address to the account, and the bot obliged — sending a one-time code to the attacker’s email that allowed a full password reset.
Why This Matters for Your Business
If your business uses Instagram, Facebook, or any Meta platform for marketing, customer service, or sales, this should grab your attention. AI-powered customer support is being rolled out across the tech industry as a way to handle routine requests without human staff. But as security researcher Ian Goldin from Lumen’s Black Lotus Labs put it, “AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks.”
Just like a human customer support agent can be social-engineered into giving away access, an AI bot can be persuaded too — sometimes more easily, because it’s programmed to be helpful. Meta’s bot was designed to help people recover locked accounts, a genuinely useful feature. But that helpfulness became a weapon when attackers learned how to talk to it.
The Good News: MFA Blocks This Attack
Here’s the detail that every Irish business owner should take to heart. The hackers who released the Telegram video said their exploit failed against any account that had multi-factor authentication (MFA) enabled. Even the most basic form of MFA — a one-time code sent via SMS — would have stopped them cold.
If you run a business account on any social media platform, enabling MFA is the single most effective thing you can do. Not a complicated security setup. Not expensive software. Just a second step when logging in. It takes two minutes to set up and could save you weeks of trying to recover a hijacked account.
The Bigger Picture: AI as a Security Risk
The Meta bot exploit is not an isolated incident. As more companies add AI chatbots to handle sensitive tasks — password resets, account recovery, payment support — the attack surface grows. These bots are trained on customer service scripts and designed to resolve issues, not to spot social engineering. They lack the scepticism a human support agent might develop after years of dealing with scammers.
Meta pushed an emergency patch after the exploit was made public and said no backend systems were breached. The fix is in place, for now. But new exploits will emerge as more companies rush to deploy AI in customer-facing roles without fully thinking through the security implications.
What You Can Do Right Now
Here are three practical steps for any Irish business using social media:
1. Turn on MFA for every business account. Not just Instagram — Facebook, X (Twitter), LinkedIn, TikTok. Every platform offers it. Use it.
2. Review your account recovery settings. Make sure backup email addresses and phone numbers are current. Remove any old devices or sessions you don’t recognise.
3. Treat AI support bots with caution. If you use AI-powered customer service on your own website, test what it can and can’t do. Can it be tricked into sharing account details or processing requests it shouldn’t?
AI is making customer support faster and more available. But as the Meta exploit shows, every new shortcut creates a new opportunity for the wrong people to slip through. A few minutes of prevention now can save you a lot of pain later.