Overview
- Over the weekend attackers used Meta’s AI support assistant to add attacker-controlled email addresses to Instagram accounts, receive verification codes, and then reset passwords, and Meta’s vice president of communications Andy Stone said the issue has been fixed and impacted accounts are being secured.
- Hackers reportedly increased their odds by spoofing locations with VPNs or proxies and submitting AI-generated selfie videos to satisfy the bot’s identity checks, then following the chat flow that linked the attacker email and produced a password reset option.
- Several high-profile profiles were briefly compromised, with reporting and researcher confirmations naming the Obama-era White House archive, Sephora’s corporate page, the U.S. Space Force chief master sergeant’s account, and security researcher Jane Manchun Wong among those affected.
- Security investigators and reporting found the technique largely failed against accounts using multi-factor authentication, and experts say enabling MFA is the clearest immediate protection for users.
- The incident has intensified scrutiny of Meta’s push to automate sensitive support functions after recent staffing cuts, prompting calls for stronger identity verification, human escalation paths, and tighter limits on what AI support agents can change.