Over the weekend, an inactive Instagram account belonging to the Obama White House was defaced with pro-Iranian imagery. A few hours later, the account of the Chief Master Sergeant of the U.S. Space Force suffered the same treatment. The method, documented in a video circulating on Telegram and verified by KrebsOnSecurity and TechCrunch, was almost too stupid to believe: hackers used a VPN to spoof a location near the target’s hometown, opened a chat with Meta’s AI Support Assistant, and simply asked the bot to link the account to a new email address. The bot sent the verification code to the attacker. The attacker read it back. The bot handed over the password reset.

No exploit. No zero-day. No sophisticated social engineering. Just a polite request to a machine that had been given the keys to the kingdom and no instruction to ask why anyone was at the door.

The predictable commentary has already congealed around two poles. The security set is calling this an embarrassing technical failure — a $1.5 trillion company outsmarted by a chatbot with the security instincts of a golden retriever. The AI-skeptic crowd is using it as fresh kindling for the argument that we are recklessly handing infrastructure to models we don’t understand.

Both are right, but both are missing the larger, more uncomfortable point. Meta’s support bot did not malfunction. It performed precisely as designed. The problem is the design.

The Bot Was Never Asked to Suspect

Consider what Meta actually built. The AI Support Assistant was not deployed as a triage tool that escalates to humans. It was deployed as a full replacement for the account recovery workflow — the very workflow that, in any sane organization, would involve a human being squinting at an anomalous request and thinking, that’s odd.

How did this happen? Because Meta has spent the better part of a decade systematically defunding the kind of support infrastructure that produces that squint. The company laid off thousands of content moderators and customer-support staff across multiple rounds of cuts, most notably in 2023 and 2024, while simultaneously pouring billions into AI infrastructure. The bet was explicit: machine learning would handle what humans used to do, at a fraction of the cost.

You cannot be surprised when a company that gutted its human support staff discovers that its AI replacement has no human judgment. You can only be surprised that anyone expected a different outcome.

Scale Is the Enemy of Discernment

Here is the argument nobody inside a Big Tech campus wants to make, because it cuts against the entire operating philosophy of the industry: some problems do not get better with scale. They get worse.

Account recovery is the textbook example. A human support agent handles maybe thirty cases a day. They notice patterns. They develop a gut feeling for what smells wrong. An AI bot handles thirty thousand cases an hour and notices nothing, because noticing is not in the spec. The spec is throughput. The spec is cost-per-resolution. The spec is, “Did the user provide the code? Then proceed.”

What Meta discovered — and what its users discovered the hard way — is that when you optimize a support system for speed and cost, you are also optimizing it for gullibility. The two are not separable. Every second you shave off the resolution time is a second you have taken away from the possibility of suspicion.

One security researcher who examined the Telegram video told me, “It’s not even a prompt-injection attack in the technical sense. The bot wasn’t tricked into violating its instructions. Its instructions just didn’t include ‘verify that this person is who they say they are in any meaningful way.’” He paused. “That’s not a bug. That’s a business decision.”

The Liability Question Meta Hopes Nobody Asks

The company’s official response, as of Monday, was a single sentence acknowledging the issue and noting it had been addressed. Meta declined to say how many accounts were compromised. It declined to say whether the vulnerability had been reported internally before the weekend’s high-profile defacements — though reporting from Engadget indicates the method had been circulating since at least March.

That three-month gap matters. If a bank left its vault open for three months and only closed it after thieves posted a video of themselves walking in, regulators would not accept a one-sentence statement. They would ask hard questions about negligence. Meta is hoping — not unreasonably — that the same standard does not apply to a social media company. So far, that bet is paying off.

But the regulatory landscape is shifting. The EU’s AI Act classifies certain automated decision-making systems as high-risk. The FTC under the current administration has shown an appetite for holding platforms accountable for security practices that fall below a reasonable standard. Whether this specific incident triggers anything beyond a round of bad press remains to be seen.

What should be clear to anyone watching is that Meta’s AI support bot was not an isolated engineering failure. It was a philosophy made manifest: that human judgment is a cost center to be eliminated, that scale is a substitute for care, and that the inconvenience of a few hijacked accounts — even accounts bearing the names of former White House occupants — is an acceptable price to pay for the efficiency of never having to pay a human being to say “let me look into that.”

The goofiest exploit anyone has ever seen turns out to be not very goofy at all. It is the logical end of a very specific, very deliberate set of choices. The bot did its job. The question now is whether anyone will be forced to do theirs.

Sources