Meta AI Compromise: Celebrity Instagram Accounts Hacked
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Cybercriminals have managed to exploit a vulnerability in Meta AI's support chatbot, compromising high-value Instagram accounts. Before Meta could patch this vulnerability, several accounts belonging to public figures had already been hacked and sold on the black market for substantial sums. Among the victims, some compromised accounts temporarily broadcast political messages before being recovered.
According to information reported by 404 Media, the attack relied on a relatively simple request injection method. The hackers initiated a password reset procedure and then used a VPN to simulate the victim's location. They were then able to convince Meta's AI assistant to change the email address associated with the account, allowing them to take full control of the account.
Videos demonstrating this method had been circulating for some time in Telegram groups frequented by hackers and cybersecurity researchers. The media outlet Neowin reports that this vulnerability had been exploited for several months, likely since February, and it may have already facilitated the hacking of thousands of Instagram accounts.
The situation gained particular attention after accounts belonging to well-known personalities were compromised. Among them were the accounts @hey and @jowo, whose combined value would exceed one million dollars on the gray market. Even recognized cybersecurity experts, such as Jane Manchun Wong, reported being affected. The issue is that even if the hackers only retain these accounts for a few days, they can profit from their audience, resale potential, or ability to impersonate well-known brands.
On May 31, open-source intelligence researcher ZachXBT publicly denounced the system on X. According to him, the Meta AI support had excessive permissions allowing password resets without two-factor authentication or proper identity verification. ZachXBT stated, "There was likely a massive Instagram/Meta vulnerability this weekend that has just been patched. Basically, Meta AI support is broken and has a lot of access permissions that allowed you to reset any user's password without 2FA and did not verify who you are."
Researcher Dark Web Informer described the same vulnerability, noting that a fix had finally been deployed. Nevertheless, a simple protection could have blocked the attack: multi-factor authentication. Even the most basic version relying on codes sent via SMS was generally sufficient to prevent takeover. The hackers themselves acknowledged this.
Beyond the Meta case, this incident raises a broader question. Many companies are now granting AI agents significant rights, allowing them to modify sensitive data or critical settings. However, when such a system is poorly protected, a simple manipulation can sometimes bypass traditional security mechanisms. Thus, for several experts, the Meta AI-based support assistant should have incorporated additional security controls.
Among the specialists' recommendations are independent verification before any modification of account information, enhanced monitoring of requests deemed risky, and automatic detection of unusual behaviors. Not to mention strict safeguards preventing the AI from performing certain sensitive actions without human validation.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.