Instagram has resolved a security issue that allowed several users’ accounts to get hacked. The attack appeared to rely on tricking Meta’s own AI-powered support chatbot into granting access to a victim’s account.
Over the weekend, several users on Reddit claimed that their Instagram accounts had been compromised, and a number of users on X warned of similar account hijackings. The compromised accounts include the Instagram handle for the Obama-era White House, which appears to have been inactive since 2017; and the account of the U.S. Space Force’s chief master sergeant John Bentinvegna.
Security researcher Jane Wong said her Instagram account was also taken over.
“The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday,” said Wong. “Quite concerning.”
A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account.
TechCrunch was able to verify that the hacker’s public email mailbox, which was displayed in the video, effectively received the verification code.
The attack relied on the fact that at no point the hacker had to take over the legitimate email address linked to the victims’ Instagram account.
On Monday, Instagram spokesperson Andy Stone said in a reply to Wong’s post and others that the issue was now fixed. It’s unclear how many Instagram users had their accounts improperly accessed.
Meta did not immediately respond to TechCrunch’s request for comment.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
