Hackers Exploit Meta AI Flaw to Hijack Instagram Accounts
Meta has come under fire for a security flaw in its AI-powered customer-service tool that enabled hackers to hack into Instagram accounts. The bug, which was discovered over the weekend, allegedly allowed hackers to access a number of popular accounts, including the now-inactive account of the Obama White House.
The reports state that the exploit was based on Meta’s AI chatbot that was recently tasked with dealing with some account recovery and security questions. Hackers reportedly used the chatbot to add unauthorised email addresses to targeted Instagram users. After successfully confirming the new email address, attackers might be able to change the password of the email account, allowing them to take complete control.
Since then, Meta has admitted to the problem and stated that it has remediated. The company said it is trying to get all of the affected accounts and ensure that it does not happen again in the future.
The way the attack was made was extremely simple. It is believed that the cybercriminals were able to appear to be connecting from close to the account owner’s typical area of operations by using VPNs. They then instructed Meta’s AI chatbot to add a new email address to the account. Rather than asking the owner of the legitimate account to do an extra check, the chatbot supposedly forwarded a one-time verification code directly to the attacker’s email. This enabled the hackers to logon to the new email and carry out a password reset.
Some significant accounts were reportedly hacked during the attacks. In addition to the Obama White House account, victims included the Chief Master Sergeant of the U.S. Space Force, cosmetics retailer Sephora and cyber security researcher Jane Wong. A lot of the affected users reported receiving unexpected emails to reset their password from Instagram and being logged out of their Instagram account.
The incident rekindled fears on the increasing use of AI in sensitive security roles. Meta’s move to automated recovery processes opened the door for bad actors to carry out exploits without the presence of any human oversight, critics say. Others referred to it as “one AI fooling another AI,” as they saw the dangers in over-automating decision-making.
Not all users were susceptible, according to security experts. On average, accounts with multi-factor authentication (MFA) or passkeys were more effective at fending off takeover attempts. Many of the attacks could not be successful even if the users had used the basic 2FA for SMS-based login, which is yet another reason why using other forms of authentication is important.
The loophole coincides with Meta’s push on the artificial intelligence front, across its operations. The firm has shed resources in certain areas to prioritize its AI initiatives and still plans to spend billions of dollars on AI infrastructure and data center investments. Meta recently raised its forecast capital expenditures for 2026 to $125 billion – $145 billion, which represents a large amount of spending on AI development.
The incident raises awareness about the risks of using AI in systems where identity verification and account security are critical.This incident serves as a cautionary tale about the dangers of using AI in systems that rely on identity verification and account security. While using automated systems can streamline processes, it could also create new vulnerabilities if good protection measures are not put in place.
Meta says it has fixed the bug, but it’s a wake-up call for tech companies and users. While organizations are increasingly adopting AI to oversee critical functions, it is still vital to have robust security measures and human oversight. The incident serves as a further reminder to every user to take steps to increase account security and use multi-factor authentication, where available.
As seen in the case of Instagram, AI can improve digital services, but there is no such thing as fully automating trust and security. The challenge for the industry will be to strike a balance between innovation and solid protection as AI increasingly seeped into online platforms.