Instagram AI Support Tool Tricked into Handing Over Account Access
Meta confirms a resolution for a vulnerability that allowed hackers to bypass security by manipulating the company's automated support assistant.
Primary source: BBC World News. Full source links, newsroom standards, and correction details are below.
Fast summary
Start here
- Meta resolved an exploit that allowed its AI chatbot to be manipulated into handing over account access.
- Attackers used VPNs and specific prompts to trick the AI support tool into changing account emails.
- The vulnerability reportedly affected high-profile users, including an account formerly used by Barack Obama.
What happened
Meta has confirmed it resolved a security vulnerability within Instagram's AI-powered support assistant that enabled hackers to take over user accounts. The exploit allowed unauthorized individuals to manipulate the chatbot into changing the email addresses and passwords associated with targeted profiles, effectively locking out the rightful owners.
What's new in this update
Meta spokesperson Andy Stone announced on X that the issue has been mitigated and the company is currently working to secure accounts impacted by the breach. While reports suggested that accounts belonging to world leaders had been compromised, Stone dismissed those specific claims as "totally false," despite reports of high-profile verified accounts being affected.
Key details
The hacking method involved attackers using virtual private networks (VPNs) to spoof the geographic location of their targets. Once the AI support bot was convinced the request was coming from the correct location, hackers prompted the assistant to link a new email to the account. The AI then sent verification codes and password reset links to the attacker-controlled email address.
Background and context
The vulnerability was documented by security researchers, including former Meta engineer Jane Manchun Wong, who reported unauthorized password reset attempts on her own profile. This security failure follows Meta's significant workforce reductions and its pivot toward AI-driven customer service, which has faced criticism for leaving users with little to no access to human support during account crises.
What to watch next
The incident is expected to intensify scrutiny from international regulators over Meta's reliance on automated systems for critical security functions. Observers will be monitoring whether Meta reinstates human oversight for account recovery processes following an EU dispute body's recent claim that the company rarely responds to inquiries regarding wrongly banned or hacked users.
Why this matters
This incident highlights the significant security risks associated with deploying autonomous AI systems for sensitive tasks like account recovery without human oversight.
Reader context
This story belongs to Northstar Herald's world coverage, with related entities including Meta, Instagram, Account Hijacking, Andy Stone. The report is based on BBC World News source material.
Related coverage
Why it matters
This incident highlights the significant security risks associated with deploying autonomous AI systems for sensitive tasks like account recovery without human oversight.
Read next
Follow this story through the topic hub, more world coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
The world desk follows geopolitics, humanitarian crises, diplomacy, and major international developments with an emphasis on fast updates and public-interest context.
Sources and methodology