Simon Willison — 2026-06-01#

Highlight#

The standout piece today is a staggering security failure at Meta, where an overly empowered AI support bot allowed hackers to hijack high-profile Instagram accounts simply by asking. It serves as a stark, practical reminder of the dangers of wiring LLMs directly into sensitive operational workflows without robust authorization safeguards.

Posts#

Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked Simon highlights a massive security oversight where attackers successfully bypassed the Instagram account recovery process merely by instructing Meta’s AI support bot to link a new email address to a target username. He notes this barely qualifies as a sophisticated prompt injection, but rather a profound architectural failure where Meta granted an AI chatbot the ability to fast-forward through the entire account recovery process. The core takeaway is a blunt warning to developers: never wire your support bots to execute one-shot account takeovers.

pydantic-monty investigation Revisiting “Monty”—a sandboxed subset of Python implemented in Rust—Simon used Claude Code to evaluate its latest release. He confirms that crucial execution constraints, including max_duration_secs, max_memory, max_allocations, and max_recursion_depth, all function properly as advertised. Reliable sandboxing like this is an essential building block for safely executing untrusted, LLM-generated Python code.

May 2026 newsletter Simon published his monthly sponsors-only newsletter, which requires a $10/month sponsorship for immediate access (though non-sponsors can currently read the April edition as a preview). This edition recaps a month where Anthropic performed exceptionally well despite rising AI costs, notes that recent model releases have been somewhat disappointing, and covers his recent launch of Datasette Agent alongside other core Datasette updates.

Project Pulse#

The underlying theme today centers heavily on the practical realities of deploying AI safely, contrasting the severe security risks of over-privileged autonomous agents (Meta’s bot) with the defensive developer tooling required to responsibly sandbox untrusted code execution (Monty). Simultaneously, Simon continues to push forward on his own data tooling ecosystem with the new Datasette Agent.