Hackers were able to hijack and sell Instagram accounts by tricking the social media platform’s AI chatbot, Meta told Metro.
Meta AI is a digital assistant integrated into Instagram as well as other Meta-owned platforms, like Facebook and WhatsApp.
But rather than use it to write captions or generate images, hackers found a way to trick it into changing other people’s passwords over the weekend.
Among the first to document the vulnerability were cybercrime trackers ZachXBT, Dark Web Informer and impulsive.
Meta confirmed to Metro that the vulnerability has been patched.
Cybersecurity experts estimate that around 100 high-value accounts were looted, with some being flogged on black market services.
Even Barack Obama’s dormant White House Instagram account was infiltrated, TMZ reported on Sunday.
Attackers posted, among other things, an image captioned, ‘White House is under Shiites’ control, referring to Shiite Muslims, members of the second-largest denomination of Islam.
Meta confirmed the breach and said the account, which has 2.4 million followers, has since been restored.
The Chief Master Sergeant of the US Space Force, John Bentivegna, also had his account looted.
His account was flooded with anti-American and pro-Iranian messages on Sunday, according to military social media and Reddit pages.
Bentivegna said that he is ‘working with the appropriate teams to regain access’ to his account.
‘It’s kind of like someone breaking into your house’
Impacted accounts are mainly those with short usernames, which are known in underground circles for their resale value. They include @hey, @e and @f, according to the Instagram handle tracker Chidori Monitor.
Among them is the Dubai-based Hamza, who told Metro that his Instagram account, @zv, was swindled at 8am local time yesterday.
Meta told him that his profile, which he’s had for about four years, does not comply with their cybersecurity policies.
‘I just think Meta is relying too much on AI,’ Hamza said, adding that he spent hours going through the company’s automated support system.
‘When the hacker changed my email, AI responded with, “We cannot change the email without confirming it’s you,” after Meta patched it, so they’d send a code to the hacker’s email.
‘It’s kind of like someone breaking into your house and the government tell you to get out, it isn’t yours anymore.
‘It’s f***ed bro, I don’t know what to even say, I’m speechless… Meta don’t care.’
How did the hack work?
According to a viral video by the Telegram account Concetic Larp, the play involves using a virtual private network (VPN), which allows you to browse the web from another country by linking your computer to a server.
By setting their VPN to the victim’s region, the hackers can attempt to log in to the victim’s Instagram account and click ‘forgot password’.
Usually, a user would need to do two-factor authentication – additional security alongside a password – such as clicking a link sent to their phone number or email.
But hackers could instead click the ‘Get support’ option to access Meta’s AI-powered account recovery tool and give it a prompt – an instruction for an AI – asking it to link the account to a new email address.
The digital assistant would then allegedly send the hacker a verification code to their own email, rather than the user’s, allowing them to take over.
Some of the compromised accounts have been removed, scrubbed clean, suspended or had their handles changed.
The method doesn’t poke a hole in Meta’s systems, but rather an exploit called a ‘confused deputy’ – fooling a system with elevated permissions into acting for someone it shouldn’t trust.
Meta AI has special access to account management systems, which is not unusual for a customer support tool.
Meta communication director Any Stone told Metro: ‘This issue has been resolved and we are securing impacted accounts.’
How to protect your accounts from hackers
Most attacks aren’t that sophisticated. They usually involve phishing – fooling people into clicking dodgy links – or guessing someone’s weak password.
Here are a few tips to keep your account secure:
- Enable multi-factor authentication (MFA): With this on, a digital thief can’t get into your account even if they have your username and password. A physical security key is the most secure option, since it’s a dedicated authentication device.
- Try a Passkey: You might have seen some websites asking you to make one. Passkeys are a step above passwords and securely log you in without needing to remember your password or to perform a 2FA ritual.
- Use a strong password: Many smartphones now suggest one for you, often reading like gobbledygook. Don’t reuse passwords either.
- Avoid phishing links: Don’t click login links in emails or DMs claiming to be from a trusted platform.
- Check login activity: Sites like Instagram often let you see who – and from where – logins are being attempted. Report any that aren’t you.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.