Hackers Tricked Meta’s AI Chatbot For Access Privileges To Instagram Accounts

A security flaw that allowed several users’ accounts to be hacked has been fixed by Instagram. It appeared that the attack relied on deceiving Meta’s AI-powered help chatbot into opening a victim’s account.

Several Reddit users reported that their Instagram accounts had been hacked over the weekend, and several X users alerted others about similar account takeovers. The U.S. Space Force’s, through Chief Master Sergeant John Bentivegna‘s account, and the Obama-era White House‘s Instagram handle, which seems to have been dormant since 2017, are among the hijacked profiles.

Jane Wong, a security researcher, said that someone had also taken over her Instagram account. 

Wong claimed this by stating that he was getting different password reset attempts throughout yesterday and the password was changed without his knowledge, which is a concern to him and made him very worried. 

The method for hacking someone’s Instagram account was demonstrated in a video that was uploaded on X. In order to evade Instagram’s automated account security, the hacker allegedly used a VPN to impersonate the targets’ assumed location. Subsequently, the hacker initiated a conversation with Meta AI Support Assistant and requested that the bot update the target’s account with a new email address. It is possible to see the chatbot sending a verification code to the hacker’s email address; the hacker then shares the code with the chatbot, causing the chatbot to display a “Reset Password” button. 

After changing the victim’s password, the hacker gains access to their account. 

Members of the press have been able to confirm that the verification code was successfully sent to the hacker’s public email account, which was seen in a video. 

The attack was predicated on the fact that the hacker never needed to take control of the authentic email address associated with the victims’ Instagram account. 

In response to Wong’s tweet and others on Monday, Instagram representative Andy Stone stated that the problem had been resolved. The number of Instagram users whose accounts were hacked is yet unknown for now.

When the members of the press had asked Meta for comment, the company did not immediately reply.

Attackers tricked Meta’s AI support bot into taking over Instagram accounts without needing passwords, malware, or phishing links. Using a VPN to spoof the victim’s location, they asked the AI to link a new email to the account. The bot sent a reset code to that email, and once entered, it gave full access, bypassing 2FA in many cases.

The current status as of now is that Meta has fixed the issue, according to spokesperson Andy Stone. The AI chatbot can no longer make unauthorized account changes. Security experts still recommend enabling strong multi-factor authentication (MFA) to guard against similar threats.