Hackers exploited Meta's AI-powered support chatbot to infiltrate high-profile Instagram accounts, the company confirmed on Monday, stating that it has resolved the issue after researchers exposed the vulnerability.
Targeted Accounts
According to reporting from 404 Media, the targets ranged from Barack Obama's White House account to Sephora and the US Space Force Chief Master Sergeant. Everyday users also reported similar hijackings on Reddit and X over the weekend.
How the Hack Worked
Security researchers and hacking groups posted videos and screenshots on Telegram demonstrating how to steal an account. A video shared on X appears to show a hacker instructing Meta's AI assistant to link the targeted account to a new email address. The bot then assures the hacker that a verification code has been sent to that new email and asks for the code to be entered in the chat interface. Once the correct code is provided, a button to reset the account's password is displayed. In one instance, the hacker used a virtual private network to spoof the account holder's location, bypassing Meta's safeguards.
Meta's Response
Meta stated: "This issue has been resolved, and we are securing impacted accounts." The company did not disclose the total number of accounts affected.
Broader Concerns
The breach raises significant concerns about the safety of relying on artificial intelligence for critical security measures such as password resets. Meta, which is rapidly reorganizing its workforce around AI and integrating AI features into its platforms, launched the AI support assistant globally on Facebook and Instagram earlier this year. A press release for the feature explained that it can "take action for you on a growing set of requests directly within Facebook and in the future, on Instagram," including reporting scams, impersonation accounts, problematic content, and resetting passwords.
"The Meta AI support assistant is a major step in our work to deliver stronger support on our apps," the March press release stated.
