Meta's AI Customer Agent Used to Hack Instagram Accounts: A Wake-Up Call for European SMEs

On June 5, 2026, reports confirmed that attackers used Meta's AI customer support agent – Mythos – to hijack Instagram accounts. The same chatbot designed to help users became a weapon. No model bug, just an interface exploit. And it happened on one of the most popular platforms for Italian SMEs to sell and communicate.

Why this matters beyond the headlines: AI agents are now a prime attack vector. For European businesses, especially the small and medium ones that rely on social media and automated support, this is a red flag. Mythos was trained to handle support requests. Attackers learned to trick it into resetting passwords and granting access – social engineering for AI. If Meta can't fully secure its AI agent, what about a custom bot on a WordPress site or a Shopify store? The EU AI Act focuses on model risk, but it largely ignores the operational risk of deploying AI agents in customer-facing roles.

Our position is clear: AI security is not a technical problem – it's a governance one.

We've seen expired SSL certificates, unprotected forms, missing backups. Now add unprotected AI agents to the list. Security is not optional, and AI doesn't get a pass. For European SMEs, especially in Southern Italy where we work, the lesson is harsh: you cannot outsource trust. An AI agent on your e-commerce site is a new entry point. If you don't secure it like you secure your server, you're leaving the door open. When the damage comes – account theft, data loss, GDPR fines – the cost is real, not theoretical.

So what to do? For developers: every AI agent must have human oversight on sensitive operations (password resets, payments). For business owners: ask your vendor how they secure their bots. If they can't answer, find another vendor. For EU policymakers: update the AI Act to include “AI service agents” as an attack surface. Regulating the model is not enough if the interface is a sieve. We've been saying for 8 years that security in Italian SMEs is systematically undervalued. AI hacking is just the latest proof.