Meta is securing high-profile Instagram accounts after hackers exploited the company's AI support chatbot to gain unauthorized access.
This incident highlights a critical vulnerability in automated security systems, where AI-driven support can be manipulated to bypass traditional account recovery safeguards.
The breach occurred when attackers tricked the AI chatbot into linking target accounts to new email addresses. To bypass security checks, hackers used a VPN to route their connection through an IP address close to the account owner's usual location, a security researcher said [2]. Once the AI was convinced of the user's identity, it allowed the hackers to reset account recovery settings.
Reports of the vulnerability surfaced early this month, with some accounts compromised as recently as June 2 [1]. The process used to deceive the bot was described as a single simple trick [2]. This method allowed attackers to seize control of major accounts by exploiting the AI's verification process.
Critics have pointed to a lack of transparency from the company regarding the breach. Wong said Meta gave zero updates about the AI bot hacking incident until it got to the press [3].
Meta has since taken steps to secure the compromised accounts. The company's AI support bot effectively opened the door for Instagram hackers, according to The Wiretap newsletter [4]. The incident underscores the risks of replacing human verification with AI in sensitive security workflows, particularly when location data can be easily spoofed via VPNs.
“Meta's AI support bot opened the door for Instagram hackers.”
This breach demonstrates the 'automation paradox,' where AI designed to streamline user support creates new attack vectors. By relying on spoofable data like IP addresses to verify identity, Meta's AI failed to distinguish between a legitimate user and a sophisticated attacker. This may force social media platforms to reintegrate human oversight or implement more robust multi-factor authentication for account recovery.
