Meta's AI chatbot flaw let hackers take over 34,000 Instagram accounts without passwords

Hackers Conned a Chatbot to Hijack 20,000 Instagram Accounts

Expertise General Tech, Apps and Games, Space and Science, Entertainment, Music, Food Just over a week ago, Meta's AI-powered chat assistant unwittingly gave hackers access to thousands of Instagram accounts, including high-profile ones such as makeup retailer Sephora and the top noncommissioned officer of the US Space Force, as well as Barack Obama's White House account. The exact number was later revealed in a regulatory filing with the Maine attorney general's office. The total stands at 20,225 compromised accounts. The hack, reported by 404 Media last week, was easy to pull off against account holders who had not enabled two-factor authentication. Hackers simply asked the AI-powered bot to change the email address for a targeted account to their own. Once that was granted, the hackers requested a password reset, prompting the AI to send a code to their personal email address. After hackers verified the password reset, they were able to take control of the account. An edited step-by-step video of the process even appeared on X, showing how the hackers used a VPN to make it seem they were in the target's location. At no point did the hackers even need the user's email address or original password. In an incident notification letter to Maine Attorney General Aaron Frey, dated June 5, Meta acknowledged "a vulnerability in the AI-assisted account recovery system for Instagram ... that was exploited by unauthorized third parties to perform password resets on Instagram user accounts." After the exploit was made public, many Instagram users reported on Reddit and X that their accounts had been hacked, though the breadth of the hack wasn't clear at the time. A Meta spokesperson posted on X that the exploit was fixed as of June 1, shortly after initial reports. How did AI let the hack happen? The problem is almost entirely due to Meta's customer support now being run by AI. The tech giant made the switch back in March, saying it would enable "24/7 help for account issues like updating your password and settings for your profile." But with the AI chatbot handling the whole process, humans couldn't step in when suspicious activity began. That allowed hackers to carry out the social engineering-style attack and pull it off multiple times before anyone noticed. Impacted accounts were forcibly logged out for all users and email addresses were restored. Users were then told to reset their passwords and reauthenticate their logins. Meta says that once the accounts are secured, a second notice will be sent to remind users to turn on two-factor authentication to prevent future attacks. Meta has not yet responded to a request for comment. How to protect yourself from similar attacks The social engineering exploit had one major limitation: It did not work on accounts with multifactor authentication. Those accounts either already had the code in their authentication app of choice or received it by text. Without the MFA setting, the one-time reset code appears to be sent to an email address of choice, thereby letting hackers just, well, have it. The best way to protect yourself is to enable multifactor authentication, which is available on all of Meta's platforms. It won't protect you 100% of the time, but it's a lot better than a password by itself, and it would've protected against this particular exploit entirely. There are other things you can do to beef up account security, including using passkeys where available and a private email address to make your account credentials harder to find.

In A.I. Blunder, More Than 34,000 Instagram Accounts Became Vulnerable

Late last month, the former White House social media account for President Barack Obama suddenly began posting odd things on its Instagram page. The account had been dormant since 2017, when Mr. Obama left office. The new posts -- which included messages deriding President Trump and saying that the White House was "under Shiite control," referring to the branch of Islam -- were out of character for Mr. Obama's social media activities. It turned out the posts were not made by Mr. Obama's office at all. In March, a group of hackers discovered a bug in a Meta customer service tool that allowed anyone to use an artificial intelligence-powered chatbot to reset the passwords for Instagram accounts. All the hacker had to do was ask the chatbot to change someone's password -- and it would be done. Roughly 34,000 Instagram accounts were affected, including the accounts of the home security monitoring company SimpliSafe and a senior official in Mr. Trump's Space Force department, according to internal Meta documents viewed by The New York Times. In the Space Force official's case, hackers began posting pro-Iran messages comparing the war in Iran to the U.S. invasion of Vietnam in the 1960s. Of the 34,000 accounts, 20,000 were breached, giving hackers access to the related email addresses, phone numbers, birth dates and other personal data. More than 3,500 of the accounts had their user names taken over and changed from the hack, according to the internal documents. Meta has said it could not determine what information was viewed or stolen by the attackers. In a statement, Meta said it had fixed the flaw, which was reported by 404 Media earlier this month, and secured the affected accounts. "Some of our internal back-end checks failed in this instance, but it wasn't due to the A.I. agent itself, and we've addressed the underlying cause," said Andy Stone, a Meta spokesman, adding that it was notifying regulators and people whose accounts were affected. The company said because of its new automated customer service programs called "agents," the number of users who were able to recover hacked accounts in the United States and Canada increased by 30 percent last year. A spokeswoman for Mr. Obama declined to comment. The incident was another A.I.-themed hiccup for Meta as it tries to remake itself using the technology. The company, which also owns Facebook and WhatsApp, is not only integrating A.I. into its apps, but is spending billions to keep pace with rivals like Anthropic and OpenAI to develop cutting-edge A.I. Mark Zuckerberg, Meta's chief executive, has said his company's future depends on quickly shifting to becoming an A.I.-first organization. But that transition has not been smooth. Last month, Meta unveiled a program to track employees' computer activity for A.I. training, causing a revolt among its workers. It also pushed A.I. tools on employees while laying off thousands of them to offset A.I. spending, further hurting morale. More broadly, concerns have also grown that advanced A.I. is creating more security threats than it is stopping. In April, Anthropic announced Mythos, its most advanced A.I. model, but declined to publicly release the technology, worried that it could be used for widespread security exploits. On Tuesday, Anthropic released Claude Fable 5, a straitjacketed version of Mythos that the company said was safe for widespread use. (The New York Times sued OpenAI and Microsoft in 2023, claiming copyright infringement of news content related to A.I. systems. The two companies have denied those claims.) Stealing high-profile social media accounts with millions of followers has long been lucrative. Hackers have found ways to trick users into giving up their handles through duplicitous messages or fake password resets, often reselling the handles to bidders like cryptocurrency promoters or political operatives. Buyers then use the accounts to spread messages for personal or political gain, or sometimes just to wreak havoc. In recent weeks, Meta has ramped up plans to offer A.I. products to businesses, aiming to court more corporate customers. At an event last Wednesday, the company introduced a "business agent" product, which lets organizations use automated chatbots for customer service issues like booking appointments or completing transactions. Meta's business agent is available to customers on Instagram, WhatsApp and Facebook Messenger. In a letter to Maine's attorney general last week, which was obtained by This Week in Security, Meta said it was conducting a "comprehensive review" to identify further security issues and handle them. Still, Meta decided not to make major changes to its A.I. plans after the Instagram hacks, according to the internal documents. "We agreed to leave all products on and to pause one ongoing experiment (IG Forgot Password Chat)," the documents said. "All other entrypoints will remain available." Meta employees appeared to be girding themselves for future incidents. "Adversarial attack vectors are always adapting," one employee wrote in an internal message to colleagues, which was viewed by The Times. "Security testing is a continuous process."

Meta A.I. Bug Allowed Hackers to Take Over Instagram Accounts

Late last month, the former White House social media account for President Barack Obama suddenly began posting odd things on its Instagram page. The account had been dormant since 2017, when Mr. Obama left office. The new posts -- which included messages deriding President Trump and saying that the White House was "under Shiite control," referring to the branch of Islam -- were out of character for Mr. Obama's social media activities. It turned out the posts were not made by Mr. Obama's office at all. In March, a group of hackers discovered a bug in a Meta customer service tool that allowed anyone to use an artificial intelligence-powered chatbot to reset the passwords for Instagram accounts. All the hacker had to do was ask the chatbot to change someone's password -- and it would be done. Roughly 34,000 Instagram accounts were affected, including the accounts of the home security monitoring company SimpliSafe and a senior official in Mr. Trump's Space Force department, according to internal Meta documents viewed by The New York Times. In the Space Force official's case, hackers began posting pro-Iran messages comparing the war in Iran to the U.S. invasion of Vietnam in the 1960s. Of the 34,000 accounts, 20,000 were breached, giving hackers access to the related email addresses, phone numbers, birth dates and other personal data. More than 3,500 of the accounts had their user names taken over and changed from the hack, according to the internal documents. Meta has said it could not determine what information was viewed or stolen by the attackers. In a statement, Meta said it had fixed the flaw, which was reported by 404 Media earlier this month, and secured the affected accounts. "Some of our internal back-end checks failed in this instance, but it wasn't due to the A.I. agent itself, and we've addressed the underlying cause," said Andy Stone, a Meta spokesman, adding that it was notifying regulators and people whose accounts were affected. The company said because of its new automated customer service programs called "agents," the number of users who were able to recover hacked accounts in the United States and Canada increased by 30 percent last year. A spokeswoman for Mr. Obama declined to comment. The incident was another A.I.-themed hiccup for Meta as it tries to remake itself using the technology. The company, which also owns Facebook and WhatsApp, is not only integrating A.I. into its apps, but is spending billions to keep pace with rivals like Anthropic and OpenAI to develop cutting-edge A.I. Mark Zuckerberg, Meta's chief executive, has said his company's future depends on quickly shifting to becoming an A.I.-first organization. But that transition has not been smooth. Last month, Meta unveiled a program to track employees' computer activity for A.I. training, causing a revolt among its workers. It also pushed A.I. tools on employees while laying off thousands of them to offset A.I. spending, further hurting morale. More broadly, concerns have also grown that advanced A.I. is creating more security threats than it is stopping. In April, Anthropic announced Mythos, its most advanced A.I. model, but declined to publicly release the technology, worried that it could be used for widespread security exploits. On Tuesday, Anthropic released Claude Fable 5, a straitjacketed version of Mythos that the company said was safe for widespread use. (The New York Times sued OpenAI and Microsoft in 2023, claiming copyright infringement of news content related to A.I. systems. The two companies have denied those claims.) Stealing high-profile social media accounts with millions of followers has long been lucrative. Hackers have found ways to trick users into giving up their handles through duplicitous messages or fake password resets, often reselling the handles to bidders like cryptocurrency promoters or political operatives. Buyers then use the accounts to spread messages for personal or political gain, or sometimes just to wreak havoc. In recent weeks, Meta has ramped up plans to offer A.I. products to businesses, aiming to court more corporate customers. At an event last Wednesday, the company introduced a "business agent" product, which lets organizations use automated chatbots for customer service issues like booking appointments or completing transactions. Meta's business agent is available to customers on Instagram, WhatsApp and Facebook Messenger. In a letter to Maine's attorney general last week, which was obtained by This Week in Security, Meta said it was conducting a "comprehensive review" to identify further security issues and handle them. Still, Meta decided not to make major changes to its A.I. plans after the Instagram hacks, according to the internal documents. "We agreed to leave all products on and to pause one ongoing experiment (IG Forgot Password Chat)," the documents said. "All other entrypoints will remain available." Meta employees appeared to be girding themselves for future incidents. "Adversarial attack vectors are always adapting," one employee wrote in an internal message to colleagues, which was viewed by The Times. "Security testing is a continuous process."