Meta — the parent company of Facebook, Instagram, and WhatsApp — continues to integrate AI across its platform. Unfortunately, it appears the company overlooked a major flaw: Meta's AI support chatbot could apparently be tricked into providing unauthorized users with login access to any Instagram account.
Over the past few days, a number of highly followed Instagram accounts were hacked. The Obama White House Instagram account, with 2.4 million followers, was compromised and posted a caption on Sunday that stated: "The White House is under Shiites' control." Other accounts, such as the official Instagram account belonging to the Chief Master Sergeant of Space Force, were also hacked.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
Soon after, sleuths on social media began sharing the news of these hacked accounts along with screen captures showcasing the alleged method used to take them over.
The hackers say they weaponized an exploit that tricked Meta's AI support chatbot into simply handing over account access. The bad actor would simply tell the AI chatbot that it needed to reset a targeted Instagram account's password. However, the hacker would also inform the chatbot that they needed the password reset email, which includes the verification code to change the password, sent to a new email address.
The email address, of course, belonged to the hackers, not the true account holder. The chatbot would apparently oblige the hacker's request and provide them with the password reset page for the account.
Mashable Light Speed
In effect, the hackers were using a widely known social engineering tactic against an AI chatbot.
This Tweet is currently unavailable. It might be loading or has been removed.
This Tweet is currently unavailable. It might be loading or has been removed.
Some of the screen captures walking through the process were pulled from Telegram channels where hackers sell their exploits on black markets. Other screen captures were taken by users who say they replicated the hack.
This vulnerability is especially concerning because there's nothing that the targeted Instagram account holders could do to prevent it. The AI chatbot was seemingly bypassing two-factor authentication measures to abide by the hacker's requests.
Since news of the hacked accounts went public on social media, Meta appears to have acknowledged and fixed the vulnerability.
Mashable contacted Meta with questions about this incident, and we will update this story if we receive more information. However, on social media, Meta VP of Communications Andy Stone acknowledged the Meta AI support exploit.
"This issue has been resolved and we are securing impacted accounts," Stone said in a reply to a user on X.
This Tweet is currently unavailable. It might be loading or has been removed.
It's unclear how many accounts were impacted by this exploit.
English
Arabic
French
Spanish
Portuguese
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek