Instagram AI chatbot tricked by hackers to give access to others' accounts
Instagram says it has resolved an issue which saw hackers trick its AI support tool into giving them access to other users' accounts.
According to claims shown in screenshots and videos shared on social media, Instagram's AI chatbot allowed users to "hijack" accounts in recent days.
Hackers could reportedly change passwords for other accounts by faking their location and then asking the AI to change the emails associated with them.
Tech news outlet 404media reported that posts about the vulnerability coincided "with a series of high-profile Instagram account takeovers" including a verified account used by Barack Obama when he was in the White House.
The former US president's account reportedly posted pro-Iran content before it was recovered.
It is unclear how many Instagram accounts were affected by the apparent exploit.
But among those claiming to have been impacted were security researcher and former Meta employee, Jane Manchun Wong.
Wong, who previously worked at Meta as a security engineer,
said in a post on X her Instagram password "got changed without my knowledge and I was getting different password reset attempts throughout yesterday".
"Quite concerning," she added.
The incident comes amid concerns about the impact of increasingly capable and common AI systems on people's data and security.
Videos shared on social media purported to show how Instagram hacks could take place.
One, shared by cybersecurity researcher Dark Web Informer on X, showed someone searching for the username of an account they wished to gain access to as part of Instagram's recovery process.
They were also shown to be using a virtual private network (VPN) service to pretend to be in the real account holder's location.
After selecting the account they wanted to access, they sent a message to Instagram's Meta AI support assistant asking to link a new email to the account and send it a verification code.
The bot followed through with the request - sending a code to the hacker's email which, when verified, was followed by an email with a link to change their password.
"We're at the point where one AI stole it and another can't fix it, zero humans in the loop anywhere," they said.
The BBC has asked Meta whether human support workers are available to help users whose accounts have been hacked.
An independent body which hears disputes from social media users in the EU said last week that
Meta virtually never replies when it raises cases of people who say they have been wrongly banned from their accounts.
<small>Source: BBC News</small>
