META'S AI CHATBOT EXPLOITED TO HIJACK INSTAGRAM ACCOUNTS

Meta's AI-powered customer support assistant became a tool for account hijacking after attackers discovered they could convince the chatbot to perform sensitive account recovery actions on behalf of others. According to 404 Media, hackers demonstrated the exploit by asking Meta's AI chatbot to switch the email address associated with a target Instagram account, then reset the password. The compromised accounts were subsequently resold, with hackers targeting valuable handles. High-profile victims included the @obamawhitehouse Instagram account and the account for the Chief Master Sergeant of the U.S. Space Force. Both were briefly defaced with pro-Iranian images and messages over the weekend before Meta regained control. Instructions on how to execute the attack circulated on Telegram, enabling multiple threat actors to exploit the vulnerability. The hack exposed a critical flaw in Meta's AI support system—the chatbot was apparently unable to adequately verify user identity before processing account recovery requests. Meta acknowledged the issue and stated the vulnerability has since been patched. The company did not provide detailed information about how many accounts were compromised or additional specifics about the security fix. The incident highlights risks associated with deploying AI chatbots for sensitive operations like account recovery. Unlike traditional support workflows that may include multi-factor verification steps, the AI assistant appears to have lacked sufficient safeguards against social engineering attacks. Users affected by account takeovers reported being locked out of their profiles. Meta did not immediately clarify the process for victims to regain access to hijacked accounts or whether the company would implement additional security measures for account recovery going forward.