Hackers hijacked 20,000 Instagram accounts by tricking Meta's AI chatbot
Attackers exploited Meta's AI Support Assistant to add unauthorised email addresses to accounts they didn't own
Hackers have exploited a flaw in Meta's AI-powered support chatbot to take over more than 20,000 Instagram accounts, including profiles linked to the Obama-era White House and the US Space Force, using an attack method that required no technical sophistication whatsoever.
The hackers conducted a password reset on an Instagram account by selecting “AI Support Assistant” from the Meta company as the contact method for the reset procedure and then requested the chatbot to add an email to the account.
This request was completed without requiring the hacker to be logged into the account. The code for verification was sent to the email provided by the hacker, who used it to change the password to the account.
The process required no hacking tools, no code, and no special access. Dark Web Informer posted a video of the exploit in action.
TechCrunch reported that high-profile accounts were among those compromised. Among those are the Instagram page of the White House from the Obama administration that does not seem to have been active since 2017 and the page of Chief Master Sergeant John Bentivegna of the United States Space Force.
Later, Meta disclosed that about 20,225 Instagram accounts had been hijacked. While Meta admitted that some accounts may be real accounts whose takeover was requested by the users, most of them did not involve any request on the part of the owner of the accounts.
The attackers who were able to take over user accounts would have had access to an extensive range of personal details: profile information, email addresses, phone numbers, dates of birth, direct messages, posts on social media, and account activity logs.
For accounts that were high-profile or verified, there would be any private messages or information about followers that would have been saved.
Meta has voided all password reset links that were sent out using this vulnerability and forced the users to go through a mandatory security step with a password reset.
Meta disabled the abused AI support tool immediately upon becoming aware of the exploit and has said it will only re-enable it once the underlying vulnerability has been fixed.
-
TikTok liability upheld while data transfer ban faces regulatory review
-
Apple, Google face new app store payment rules in UK
-
US House passes landmark youth online safety legislation despite tech groups’ warnings
-
Apple speeds up software updates amid AI-driven cybersecurity threats
-
WhatsApp will now let you chat without sharing your phone number
-
Trillionaire Elon Musk celebrates birthday with rocket-themed cake
-
Breaking: Is Minecraft down? Several users report outages
-
Europe's heatwave puts AI data centres under pressure
