Meta's AI support chatbot made it ridiculously easy for hackers to take over Instagram accounts

The company says it's working on securing affected accounts.

Back in December, Meta announced a new AI support assistant it promised would make the account recovery process "faster and simpler" for people who had been locked out of their Facebook or Instagram pages. Now, it seems that Meta may have over-delivered on that promise.

That same Meta AI support assistant has apparently been used by hackers to hijack a bunch of Instagram accounts. According to security researchers, the AI tool made it ridiculously easy for hackers to take over the accounts, even if they were protected by two-factor authentication.

The exploit was flagged over the weekend by numerous security researchers on X. Details about how to take over accounts, as well as screenshots and video showing the takeovers in action, were circulating widely on Telegram, the researchers said. The images and videos suggest that hackers were able to simply ask the AI support chatbot to change the email associated with their desired account and then request a password reset.

This issue has been resolved and we are securing impacted accounts.

Though Meta didn't provide additional info on why its AI support tool would have such a gaping security vulnerability, it seems that hackers discovered the Meta chatbot relied on account holders' physical location to enable support. The now-patched exploit required hackers to use a VPN to show that their location matched the location of the person whose account they were targeting, according to Neowin. "Our systems recognize the device you usually use and familiar locations better than ever," Meta wrote in its December blog post about the AI support tool.

While we don't know officially how many accounts were hijacked with the AI tool, the timing seems to coincide with a wave of hacks of high-profile accounts, including an account for the Obama White House. The account, which hadn't posted since 2017, posted an AI-generated image that translates to "the White House is under Shiites' control," according to TMZ. Meta confirmed the hack to the outlet but didn't provide details on how it was carried out or who might have been behind it. Other accounts that may have been caught up in the exploit include beauty retailer Sephora and a high-ranking Space Force official, according to 404 Media.