Meta has found itself in the middle of a massive security scandal, as it has been revealed that hackers have managed to hijack Instagram accounts by tricking the company's own AI-powered customer service bot.
On social media (link X / Twitter) and in Telegram groups of cybersecurity researchers, shared videos and screenshots show that taking over accounts was easy and only required a conversation with the AI bot.
The attack was based on hackers contacting Meta's AI support assistant and simply asking it to link the target account to a new email address.
The AI bot agreed to the request and sent a verification code to the address provided by the attacker. When the hacker entered the code back to the bot, it offered a direct button to reset the password, after which the victim no longer had access to their own account.
So that Instagram's automatic security systems would not have alerted about suspicious activity, the attackers used a VPN connection to fake their location to match the victim's presumed location. Hackers did not need at any point to access the victim's original email account.
Among the hijacked accounts there have been several well-known entities, such as Barack Obama's White House official Instagram account, cosmetics giant Sephora, and the well-known cybersecurity researcher Jane Wong (link X / Twitter).
Instagram spokesperson Andy Stone has confirmed on social media that the vulnerability affecting the AI in question has now been fixed. The matter was reported by, among others, TechCrunch and 404 Media.
The attack was based on hackers contacting Meta's AI support assistant and simply asking it to link the target account to a new email address.
The AI bot agreed to the request and sent a verification code to the address provided by the attacker. When the hacker entered the code back to the bot, it offered a direct button to reset the password, after which the victim no longer had access to their own account.
So that Instagram's automatic security systems would not have alerted about suspicious activity, the attackers used a VPN connection to fake their location to match the victim's presumed location. Hackers did not need at any point to access the victim's original email account.
Among the hijacked accounts there have been several well-known entities, such as Barack Obama's White House official Instagram account, cosmetics giant Sephora, and the well-known cybersecurity researcher Jane Wong (link X / Twitter).
Instagram spokesperson Andy Stone has confirmed on social media that the vulnerability affecting the AI in question has now been fixed. The matter was reported by, among others, TechCrunch and 404 Media.
