Instagram Patches Meta AI Support Assistant Hijacking Vulnerability

Summarize with:

ChatGPT Claude.ai Google AI Grok Perplexity

Add as preferred source on Google

Instagram recently resolved a critical security vulnerability that enabled threat actors to hijack user accounts by exploiting Meta's AI-powered support infrastructure. Over the weekend, numerous individuals on Reddit and X reported unauthorized access to their profiles. The exploitation of this vulnerability impacted several prominent figures and organizations. 

Confirmed compromised accounts included the Instagram handle for the Obama-era White House, the official profile of U.S. Space Force chief master sergeant John Bentivegna, and the account of security researcher Jane Wong.

Authentication Bypass via Meta AI Support Assistant

The attack vector specifically relied on tricking the Meta AI Support Assistant into granting illicit access to the targeted accounts. A video circulating on X demonstrated the step-by-step technical process utilized by the threat actors. 

Attackers used a VPN to spoof the target's presumed geographical location, circumventing initial security tripwires. They then initiated a session with the Meta AI Support Assistant, instructing the bot to append a new email address to the target account. 

The chatbot subsequently sent a verification code to the hacker's email address. Upon sharing this verification code with the chatbot, the attacker gained access to the Reset Password button.

This way, the hacker gained a complete account takeover without ever compromising the legitimate email address linked to the victim's Instagram profile.

Incident Remediation

Following the public disclosure of the exploit, Instagram spokesperson Andy Stone confirmed that the underlying security issue was fixed, adding that the “claim about world leaders is totally false.”

Meta has not yet commented on the matter, and the total number of affected users is unknown.

Last month, Russian hackers targeted 13,500 Signal accounts in a hijacking campaign. In April,  a Milan court accepted a Meta Platforms class action over Facebook personal data scraping affecting 35 million users.

Related

Massive 17-Million Device Botnet in the Netherlands Dismantled in a Police and NCSC Joint Operation 

Atlas Menu Data Breach Exposes Approximately 64,000 User Accounts

Cyber Job Moves: Organizations Turn to New Leaders for Their Next Chapter | Week of May 31–June 6

Cyber Job Moves: Security, Risk, and Technology Leaders Take on New Roles

Weekly Cybersecurity Roundup: Extortion Stumbles, Trust Gets Tested, and Investigators Close In

Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim

Your Weekly Cybersecurity Briefing

Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.

Subscribe for Free

Please enter a valid email address.

Most Popular

Massive 17-Million Device Botnet in the Netherlands Dismantled in a Police and NCSC Joint Operation 

NordVPN Expands Beyond VPN Services With New Focus on Antivirus and Digital Security

Atlas Menu Data Breach Exposes Approximately 64,000 User Accounts

Cyber Job Moves: Organizations Turn to New Leaders for Their Next Chapter | Week of May 31–June 6

Cyber Job Moves: Security, Risk, and Technology Leaders Take on New Roles

Weekly Cybersecurity Roundup: Extortion Stumbles, Trust Gets Tested, and Investigators Close In

Massive 17-Million Device Botnet in the Netherlands Dismantled in a Police and NCSC Joint Operation 

NordVPN Expands Beyond VPN Services With New Focus on Antivirus and Digital Security

Atlas Menu Data Breach Exposes Approximately 64,000 User Accounts

Cyber Job Moves: Organizations Turn to New Leaders for Their Next Chapter | Week of May 31–June 6

Cyber Job Moves: Security, Risk, and Technology Leaders Take on New Roles

Weekly Cybersecurity Roundup: Extortion Stumbles, Trust Gets Tested, and Investigators Close In