Hi Dotikers!

Some hacks take weeks of prep, obscure code and a lot of coffee. And then there is this one, where you just had to ask nicely.

Over the weekend, attackers took control of several high-profile Instagram accounts, including the Obama-era White House handle and the account of the most senior enlisted leader of the US Space Force, plus Sephora's official profile. The method? Open a chat with Meta's AI support assistant and ask it to link a new email address to the target account. The bot complied, sent the verification code to that address, then calmly let the attacker reset the password. No memory exploit, no SQL injection. Just a polite "here is my new email, thanks in advance".

This is where it gets interesting. Meta had rolled out this assistant promising faster, simpler support, able to reset passwords and handle critical account functions. Solutions, not just suggestions, said the product page. You could argue the promise was kept, just not for the right people.

The real problem is not that the AI made a mistake. It is that we handed it the keys to the vault with no lock behind the door. Giving an autonomous agent the power to perform sensitive actions with no human check and no solid guardrail turns social engineering into a simple administrative formality. The detail that stings: two-factor authentication, even over SMS, was enough to block the attack.

This one is worth pausing on, because it sketches the new attack surface of 2026. When you hand support over to an AI that is a little too eager to please, you do not remove the risk. You just teach it to say yes.

Alex.

Your company going global shouldn’t mean endless headaches. Deel’s free guide shows you how to unify payroll, onboarding, and compliance across every country you operate in. No more juggling separate systems for the US, Europe, and APAC. No more Slack messages filling gaps. Just one consolidated approach that scales.

Get the free guide today