Meta fixes AI security flaw after Instagram account hacks

Meta has fixed a major AI security flaw in its support assistant that enabled hackers to bypass security measures and take over premium Instagram accounts. The vulnerability, exposed on Telegram and later on X, allowed attackers to hijack accounts without access to the victim’s email or phone number. Andy Stone, a Meta communications official, confirmed the issue was resolved and impacted accounts were being secured. The exploit required attackers to use a virtual private network (VPN) to match the target’s geographic location, bypassing automated regional safeguards. Once the location was matched, hackers triggered a password reset, opening a chat window with Meta’s AI Support Assistant. They instructed the automated system to change the account’s registered email address to their own, prompting the chatbot to send an 8-digit verification code directly to the attacker. After entering the code into the chat interface, the system generated a password reset link, allowing attackers to set a new password and lock out the legitimate account owner. The campaign reportedly compromised several high-profile accounts over the weekend, including the inactive Barack Obama White House Instagram page, Sephora’s official account, and the personal account of US Space Force Chief Master Sergeant John Bentivegna. The Obama White House account, inactive since 2017, was briefly defaced with pro-Iranian images and messages before Meta intervened. The breach was discovered on Sunday after unusual posts appeared on the account, according to a report by TMZ. Meta’s AI Support Assistant, launched globally earlier this year, was the primary tool exploited in the hacking campaign.