Meta has revealed that around 20,000 Instagram accounts might have been compromised due to misuse of an AI-powered account recovery tool. This breach allowed hackers to manipulate the tool and gain unauthorized access to user accounts.
Exploitation of AI Recovery Tool
Hackers were able to take control of Instagram accounts by instructing Meta’s chatbot to associate their email addresses with the targeted accounts. This manipulation granted them the ability to reset passwords and seize control of the accounts.
Among the compromised accounts were those belonging to high-profile individuals and organizations, such as the Obama White House, Sephora, and US Space Force Chief Master Sergeant John Bentivegna. Some of these accounts were reportedly sold on the dark web.
Meta’s Response and Investigation
In response to the incident, Meta has notified authorities, including the Maine Attorney General’s Office. While the potential number of affected accounts is estimated at 20,225, Amber Hannah, Meta’s associate general counsel, suggested that the actual figure might be lower.
The breach was traced back to a flaw in the High Touch Support (HTS) tool, discovered on May 31. This tool is designed to assist users in regaining access to their accounts, but a bug allowed unauthorized email addresses to receive password reset links.
Security Measures and Future Outlook
Meta has taken immediate action by disabling the exploited tool, intending to reactivate it only after ensuring the vulnerability is fixed. The invalidated password reset links, alongside enforced security checkpoints, aim to protect affected accounts.
Meta plans to alert potentially impacted users, advising them to review their security settings and activate two-factor authentication. This proactive measure is crucial to prevent future unauthorized access.
The incident highlights the importance of robust cybersecurity practices in protecting online identities. Meta’s swift action and ongoing investigation emphasize their commitment to user security.
