Meta AI Tricked Into Handing Over High-Profile Instagram Accounts

We have both good news and bad news for Instagram users. First the bad news: Hackers were able to trick Meta’s AI support bot into allowing them to take control of a number of Instagram accounts, including those owned by some high-profile individuals.

Some of the high-profile Insta accounts include those belonging to Obama’s White House, US Space Force, and ironically, the account belonging to security researcher Jane Manchun Wong.

Now for the good news. The social network is working on a way of preventing teenage users from being repeatedly exposed to content likely to impact their mental health.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

Hackers Fool Meta’s AI Support Chatbot

Hackers managed to fool Meta’s AI support chatbot into allowing them to reset the passwords of other users’ Instagram accounts. It turns out the methods used by the bad actors were quite simple:

1. The hacker allegedly used a VPN to spoof the targeted account owner’s presumed location to avoid triggering Instagram’s automated account protections
2. The bad actor then initiated a password reset process for the targeted account
3. When asked to select a password reset method, they chose “Meta AI Support Assistant”
4. They then asked the chatbot to add a new email address to the account
5. The chatbot performed the request without question, despite the fact the hackers were not logged in to the account in question.
6. The chatbot then happily sent a code to the brand-spanking new email address
7. The bad guys then used the sparkling new code to change the password on the account
8. Once the password was changed, that automatically logged the genuine account owner out of the account on all of the owner’s devices.

Dark Web Informer has posted a video of the exploit in action.

TechCrunch reports that the stolen Instagram accounts included several high-profile accounts.

These include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentivegna. Security researcher Jane Wong said her Instagram account was also taken over.

TechCrunch was able to verify that the hacker’s public email mailbox, which was displayed in the above video, received the verification code.

The relatively simple approach to stealing the accounts at no point required the hacker to take over the legitimate user’s email address that was linked to the targeted Instagram account.

“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” said Wong. “Quite concerning.”

Instagram spokesperson Andy Stone said in an X post that while a claim that world leaders’ accounts had been taken over was “totally false,” the overall issue has now been fixed. It’s unclear how many Instagram users were targeted in the attack.

Instagram’s New Protections for Teenagers

On the positive side, Instagram is also reportedly testing a way to block its teenage users from being repeatedly exposed to content that is likely to impact their mental health. The company says the experiment proved successful and it’s now being rolled out globally.

In October, Instagram Teen Accounts in the US, UK, Australia, and Canada were updated, defaulting teens into a new 13+ content setting. The new setting, which was inspired by ratings for movies, as well as parent feedback, is designed to help teens only see age-appropriate content by default. Meta says 9 out of 10 teens have remained in this setting since its launch. A stricter setting called “Limited Content” was also introduced, allowing parents to create an even more restrictive experience for their kids.