Meta AI Chatbot Handed Over 20,000 Instagram Accounts to Hackers

Hackers discovered that the Meta AI chatbot, designed to be a helpful virtual assistant, possessed a hilariously polite fatal flaw. By simply asking the bot to reset an account's password and providing their own email, attackers could bypass security checks and hijack profiles.

The system was supposed to verify whether the requester's email matched the address on file, but a tiny glitch in a separate piece of code turned the chatbot into a clueless bouncer who lets anyone in if they ask nicely. As long as the victim didn't have two-factor authentication enabled, the digital assistant happily generated and sent password reset links straight to the hackers' mailboxes.

This digital open-house party resulted in the compromise of at least 20,225 Instagram accounts, exposing private direct messages, contact lists, birth dates, and linked social profiles. Meta disclosed the massive leak in a regulatory filing to the Maine Attorney General, admitting that the underlying AI tool itself was technically working as intended while the authentication check was completely asleep at the wheel.

The company has since disabled the chatbot's account recovery capabilities and cleaned up the rogue code to prevent further automated break-ins.

Silicon Valley's obsession with injecting AI into every corner of the internet continues to bear beautiful, chaotic fruit. When a multi-billion dollar corporation trusts a language model to handle security-critical tasks without basic email verification, it proves that the smartest minds in tech are still remarkably adept at building high-tech crowbars for thieves.

Source: Week in Security