GoKawiilRyan Haines / Android Authority
TL;DR A reported flaw in Meta’s AI support system affected 34,000 Instagram accounts, exposing personal data and enabling account takeovers.
Attackers tricked an AI chatbot into changing account recovery emails, allowing them to reset passwords.
Meta is reviewing the incident and notifying affected users, but has paused only the specific recovery tool involved while continuing its broader AI push.
A few days ago, we reported on how Meta’s growing reliance on AI-powered support tools had seemingly opened the door to a new kind of security problem. Now, a fresh report from The New York Times suggests the issue may have been far more widespread than initially understood, affecting around 34,000 Instagram users. Of those, roughly 20,000 accounts were allegedly compromised, exposing personal information such as email addresses, phone numbers, and birth dates, while thousands more had their usernames changed or temporarily lost control of their profiles.
Unlike many account breaches that rely on stolen passwords, phishing emails, or malware, this incident appears to have stemmed from something far more mundane: an automated support workflow that could be manipulated into performing actions it wasn’t supposed to.
Attackers were able to convince Meta’s AI support chatbot to replace the email address associated with a target Instagram account. Once the new email was linked, the attackers could request a password reset and gain control of the profile.
Don’t want to miss the best from Android Authority? Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
to never miss our latest exclusive reports, expert analysis, and much more. You can also set us as a preferred source in Google Search by clicking the button below.
Several high-profile accounts were affected by the breach, including businesses, public figures, and government-linked organizations. Some hijacked profiles were later used to publish unauthorized posts before Meta stepped in and restored access.
... continue reading