Instagram: Meta's AI Exposes High-Profile Accounts to Hackers
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Hacking Made Easier by Instagram's AI
Last weekend, several high-profile Instagram accounts were compromised, including that of Barack Obama's White House, which is undoubtedly the most notable. Hackers managed to exploit a vulnerability in Meta's customer support AI chatbot, facilitating access to these accounts.
A Flaw in the Reset System
According to 404 Media, hackers were able to manipulate the chatbot to change the email address associated with the targeted accounts. They then initiated a password reset without any identity verification required. The chatbot sent an access code to the hackers' email address, allowing them to reset the password and take control of the accounts. A video detailing this process was shared on X. By using a VPN, the hackers simulated the victims' locations, making the attack even more effective. At no point did the hacker need the original user's email address or password to access the accounts.
Instagram had a vulnerability that allowed the use of Meta's AI to reset passwords on accounts without MFA (multi-factor authentication). This flaw has been recently patched.
High-Profile Accounts Targeted
Among the affected accounts are those of makeup retailer Sephora and US Space Force Master Sergeant John Bentivegna. While the total number of hacked accounts remains uncertain, many users have reported similar incidents on Reddit and X, including security researcher Jane Wong. She shared her experience on X, explaining that her password had been changed without her knowledge, resulting in repeated logouts from the Instagram app.
"The password was changed without my knowledge, and I was receiving different password reset attempts throughout yesterday," Jane Wong stated on X. "And I was logged out multiple times from the [Instagram] iOS app. It's quite concerning."
The Impact of Automation on Security
The problem primarily lies in the fact that Meta's customer support is now entirely managed by AI. This change, introduced in March, aimed to provide continuous assistance for account issues. However, the lack of human intervention allowed hackers to carry out social engineering attacks undetected. Security researchers ZachXBT and Dark Web Informer were the first to publicly reveal this vulnerability after several high-profile accounts were compromised. Dark Web Informer has been tracking the sale of these accounts in real-time, with some being offered for sums reaching $1 million.
Meta's Response and Security Measures
An Instagram spokesperson, Andy Stone, announced in a post on X that the vulnerability has been patched. According to 404 Media, Meta is currently working to secure the impacted accounts. To guard against such attacks, it is strongly recommended to enable multi-factor authentication (MFA), which could have prevented this vulnerability. The use of passkeys and a private email address can also enhance account security.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.