AI Exploit Compromises Instagram Security
A significant vulnerability in Meta’s AI-driven support system for Instagram has been exploited by hackers, allowing them to gain unauthorized access to accounts by bypassing two-factor authentication. This breach has raised concerns about the security of high-value accounts, including verified profiles and dormant institutional handles.
How Hackers Manipulated Meta’s AI
The breach occurred over a weekend, targeting exclusive “OG” Instagram usernames, institutional accounts, and verified profiles, which were quickly listed for sale on Telegram. The attackers used a VPN to mask their location, ensuring their activities went undetected by Instagram’s fraud detection systems.
By engaging with Meta’s AI Support Assistant, attackers issued requests in plain language to change the email associated with target accounts. The AI bot, equipped with elevated permissions, executed these changes without verifying identity, thus facilitating unauthorized access.
Consequences of the Security Breach
Once the AI bot linked a new email to the account, it provided a verification code to the hacker, who then completed the password reset process, effectively locking out the original owner. Notably, legitimate account holders were not alerted during this attack, leaving them unaware of any changes made.
Prominent accounts affected included the @obamawhitehouse handle and other high-value usernames. These accounts were subsequently defaced and their security compromised. The breach prompted a swift response from Meta, who released an urgent fix to restrict the AI’s direct access to account management APIs.
Preventative Measures and Future Implications
Meta claims the specific vulnerability has been patched, yet the threat of account hijacking remains. Users are advised to switch to more secure authentication methods such as hardware security keys or authenticator apps to mitigate the risk of similar incidents.
Experts recommend using private emails for account recovery and regularly auditing active sessions to spot unauthorized access. This incident highlights the potential risks associated with deploying AI systems capable of executing sensitive operations without stringent verification protocols.
As organizations continue to integrate AI into customer support, ensuring robust security measures are in place is crucial to protecting user data and maintaining trust.
