It seems the AI revolution that major companies are boasting about has backfired in an unexpected way, and this time the victim is Meta and Instagram users. In a new and embarrassing security scandal, Meta confirmed that thousands of Instagram accounts were hacked and stolen due to a bizarre vulnerability in its AI-powered customer service and account recovery chatbot, where hackers were simply able to trick the bot and convince it to hand over account keys without any effort.
A smart robot or a naive one? Breach details by the numbers
According to the official data breach notice filed by Meta with the Maine Attorney General’s office, the company sent alerts to at least 20,225 users confirming that their Instagram accounts had been fully compromised. It wasn’t just about gaining access to the account; hackers were also able to take control of linked accounts, access contact information, birth dates, direct messages (DMs), posts, and all account activity.
This widespread breach reveals the danger of relying entirely on AI for sensitive operations like account recovery without careful human oversight or strict verification mechanisms, leaving thousands of users as victims of a software bug that could have been easily avoided if the system had been adequately tested before being released to the public.
How did the trick work? They simply asked for the code and it gave it to them!
The details of the vulnerability lie in Instagram’s AI-powered account recovery system. Hackers targeted accounts that had not enabled “Two-Factor Authentication” (2FA). They contacted the customer service bot and asked it to reset the password and send the verification code to an email address belonging to the hackers instead of the original email registered to the account. Ironically, the bot complied with the request quite comfortably and without any hesitation!
Meta explained in its official letter: “The tool itself was working as intended, but due to a bug in a separate code path, the system did not properly verify that the email address provided by the person requesting the password reset matched the email address associated with the account owner.” As a result of this fatal error, when the hacker provided a new email address, the bot immediately sent the password reset link to it instead of rejecting the request.
The duration of the breach and the steps Meta took to address the disaster
Reports indicate that this campaign began around April 17 and continued for weeks until earlier this week when Meta finally noticed and secured the system. During this period, hackers wreaked havoc on thousands of users’ accounts without the company’s knowledge. Meta finally disabled the bot temporarily and deleted the code causing the problem, and has begun reviewing all other chatbots across its platforms to ensure there are no similar vulnerabilities.
This embarrassing incident for Meta comes shortly after it laid off thousands of employees and engineers, while continuing to pay huge sums and bonuses to executives while announcing its full pivot toward AI. Perhaps Meta should realize that fast AI is no substitute for real security and skilled human engineers who protect systems from such naive mistakes.
Source:
Leave a Reply