Brief IA

Instagram: Meta's AI Exposes High-Profile Accounts to Hackers

🛠️ AI Tools·Tom Levy·

Instagram: Meta's AI Exposes High-Profile Accounts to Hackers

Instagram: Meta's AI Exposes High-Profile Accounts to Hackers
Key Takeaways
1Hackers exploited Instagram's AI chatbot to hack accounts, including that of Barack Obama.
2The chatbot allowed password resets without identity verification, exposing many users.
3Meta has fixed the vulnerability, but accounts were sold for up to 1 million dollars.
💡Why it mattersThe security of online accounts is threatened by vulnerabilities in automated systems, exposing influential users to increased risks.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

Hacking Made Easier by Instagram's AI

Last weekend, several high-profile Instagram accounts were compromised, including that of Barack Obama's White House, which is undoubtedly the most notable. Hackers managed to exploit a vulnerability in Meta's customer support AI chatbot, facilitating access to these accounts.

A Flaw in the Reset System

According to 404 Media, hackers were able to manipulate the chatbot to change the email address associated with the targeted accounts. They then initiated a password reset without any identity verification required. The chatbot sent an access code to the hackers' email address, allowing them to reset the password and take control of the accounts. A video detailing this process was shared on X. By using a VPN, the hackers simulated the victims' locations, making the attack even more effective. At no point did the hacker need the original user's email address or password to access the accounts.

Instagram had a vulnerability that allowed the use of Meta's AI to reset passwords on accounts without MFA (multi-factor authentication). This flaw has been recently patched.

High-Profile Accounts Targeted

Among the affected accounts are those of makeup retailer Sephora and US Space Force Master Sergeant John Bentivegna. While the total number of hacked accounts remains uncertain, many users have reported similar incidents on Reddit and X, including security researcher Jane Wong. She shared her experience on X, explaining that her password had been changed without her knowledge, resulting in repeated logouts from the Instagram app.

"The password was changed without my knowledge, and I was receiving different password reset attempts throughout yesterday," Jane Wong stated on X. "And I was logged out multiple times from the [Instagram] iOS app. It's quite concerning."

The Impact of Automation on Security

The problem primarily lies in the fact that Meta's customer support is now entirely managed by AI. This change, introduced in March, aimed to provide continuous assistance for account issues. However, the lack of human intervention allowed hackers to carry out social engineering attacks undetected. Security researchers ZachXBT and Dark Web Informer were the first to publicly reveal this vulnerability after several high-profile accounts were compromised. Dark Web Informer has been tracking the sale of these accounts in real-time, with some being offered for sums reaching $1 million.

Meta's Response and Security Measures

An Instagram spokesperson, Andy Stone, announced in a post on X that the vulnerability has been patched. According to 404 Media, Meta is currently working to secure the impacted accounts. To guard against such attacks, it is strongly recommended to enable multi-factor authentication (MFA), which could have prevented this vulnerability. The use of passkeys and a private email address can also enhance account security.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.