Meta Says Thousands of Instagram Accounts Were Breached Through Its AI Support Assistant
Meta disclosed that 20,225 Instagram accounts were breached after hackers exploited its AI-powered support assistant to reset passwords and gain control, including high-profile accounts like Barack Obama’s White House account and the U.S. Space Force’s Chief Master Sergeant account. The breach, discovered on May 31, stemmed from a bug allowing attackers to link unauthorized email addresses to target accounts, bypassing verification checks for non-two-factor-authentication users.
Meta revealed that hackers compromised 20,225 Instagram accounts by tricking its AI support assistant into helping them reset passwords. The breach, filed as a data breach notice with Maine’s attorney general on June 2, began on April 17 and was discovered on May 31. Attackers used VPNs to mimic geographic proximity to targets, initiated password resets, and then asked Meta’s AI assistant to link their controlled email addresses to the accounts. The AI assistant sent password reset links to the attackers’ emails, allowing them to seize control—though only on accounts without two-factor authentication. The flaw occurred because the AI tool failed to verify that the email address provided during a password reset matched the account’s actual email. Meta confirmed in its notice that the AI itself functioned correctly but that a separate code path lacked proper verification. The company stated it does not yet know what personal data, if any, was accessed, though potential exposure includes contact details, birthdates, profile information, messages, and linked account data. Among the affected accounts were high-profile targets, including the Barack Obama White House account, the U.S. Space Force’s Chief Master Sergeant account, and the makeup brand Sephora’s official page. Meta has since fixed the issue, secured impacted accounts, and restored access to affected users. The company emphasized that internal backend checks failed but that the AI assistant was not directly at fault. This incident highlights growing concerns about AI’s role in cybersecurity vulnerabilities. Recent reports indicate hackers are using AI to discover zero-day exploits, while defense agencies explore weaponizing AI models. Meta’s AI support assistant, launched in March, was designed to assist users with account recovery but inadvertently created an entry point for unauthorized access. The company assured regulators and affected individuals that the underlying cause has been addressed. Meta also noted that it will formally notify those potentially impacted by the breach, though no specific details about accessed data were provided in the filing.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.