A critical flaw in Instagram’s Meta AI-powered account recovery tool allowed attackers to hijack high-value accounts by manipulating the chatbot into forwarding password reset codes without proper verification.
Security researchers ZachXBT and Dark Web Informer exposed the vulnerability, revealing that threat actors exploited Instagram’s Meta AI assistant—a tool designed to help users regain account access. By engaging the AI chatbot in conversation, attackers prompted it to send password reset codes to unauthorized parties, effectively bypassing identity verification checks. This flaw stemmed from insufficient controls in how the AI processed account recovery requests, enabling anyone with knowledge of a target’s username to initiate a takeover.
Notably, attackers targeted premium, short-handle Instagram accounts, including high-profile usernames such as @hey and @jowo, which are highly valued in underground markets. These coveted accounts, some collectively worth over $1 million, were quickly sold through private Telegram channels before Meta could intervene. This swift operation underscores the organization and financial motivation of threat actors exploiting social media platform vulnerabilities.
Meta addressed the vulnerability after reports surfaced online. In an official statement, the company stated: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems, and people’s Instagram accounts remain secure.” Despite the patch, the incident raises serious questions about the security architecture surrounding AI-assisted support tools and their access to sensitive account recovery functions.
To protect your Instagram account, security experts recommend the following steps:
- Enable app-based two-factor authentication (2FA) using apps like Google Authenticator or Authy, instead of SMS-based verification.
- Use a private, dedicated email not publicly associated with your Instagram profile.
- Avoid reusing passwords across platforms; utilize a reputable password manager.
- Regularly monitor account activity for unauthorized access.
As AI integration in customer support grows, ensuring robust security measures is crucial to prevent similar exploits. Users should remain vigilant and adopt recommended security practices to safeguard their accounts.
Source: CyberSecurityNews
