AI Chatbot Exploited by Hackers to Breach Instagram Accounts

Instagram Account Takeover Incident

According to НВ — Техно: On June 2 at 6:00 PM, it was revealed that attackers leveraged Meta’s AI-powered support chatbot to hijack Instagram accounts by resetting both email addresses and passwords. The breach, first reported by 404 Media, occurred around the same time the official Barack Obama-era White House Instagram account was compromised. The @obamawhitehouse page began displaying images promoting Iranian propaganda. The perpetrators also gained access to accounts belonging to the Senior Enlisted Advisor of the U.S. Space Force, beauty retailer Sephora, and security researcher Jane Manchun Wong.

Meta confirmed the vulnerability has been patched. Company communications chief Andy Stone stated:

“The issue has been resolved, and we are working to protect accounts that may have been affected.”

According to reports, the hacker asked the chatbot to link a new email address to the account. The AI then sent a verification code to that email. Once the code was received, the attackers confirmed the new address and set their own password.

Expert and Researcher Reactions

Researcher Jane Manchun Wong reported that her account was taken over. She noted the password was changed without her knowledge, she received numerous password reset requests throughout the day, and the Instagram app on her iPhone was repeatedly logged out. Gergely Orosz, author of The Pragmatic Engineer newsletter, emphasized that

“in recent weeks, the Instagram team responsible for trust and safety has been significantly reduced due to layoffs and reassignments to other tasks, including those related to AI.”

He also remarked that “the attack was not sophisticated, and the issue may have arisen from the company’s over-reliance on artificial intelligence in its services and insufficient attention to security matters.”

Meta launched its AI assistant for user support in March, but this incident highlights the potential risks of using artificial intelligence in security-sensitive contexts. Attackers were actively hunting for valuable short usernames, underscoring the severity of the situation. The company continues to work on improving the security of its services and protecting users.

This event serves as a stark reminder of the need for robust security measures amid the growing integration of AI into customer support technologies. Vulnerabilities in automated systems can be exploited by malicious actors to access sensitive data, threatening not only individual users but also corporate reputations. Meta is already working to rectify the situation and safeguard its users, but such cases underscore the critical importance of continuously enhancing security systems in the digital landscape.

The recent incident involving the exploitation of an AI chatbot highlights a concerning trend in cybersecurity, particularly as cybercriminals increasingly target high-profile institutions. This mirrors a previous wave of attacks where fraudsters impersonated key Ukrainian financial entities to deceive individuals. To understand the broader implications of these tactics and the evolving landscape of cyber threats, read more about this alarming situation here.