A bug in Meta's artificial intelligence customer service tool left more than 34,000 Instagram accounts vulnerable to takeover, with roughly 20,000 accounts actually breached by hackers, according to internal company documents reviewed by The New York Times.
The flaw allowed anyone to use an AI-powered chatbot designed for customer support to reset passwords for Instagram accounts. The hacker simply asked the chatbot to change a password, and the system complied without verifying the requester's identity. Meta said it has since fixed the vulnerability and secured the affected accounts.
High-Profile Accounts Targeted
Among the accounts compromised was the official Instagram account of former President Barack Obama, which had been dormant since he left the White House in 2017. In late May, the account suddenly began posting unusual content, including messages deriding President Trump and claiming the White House was "under Shiite control." The posts were not authorized by Obama's office.
Hackers also took over the account of SimpliSafe, a home security monitoring company, and the Instagram account of a senior official in President Trump's Space Force department. In the Space Force official's case, attackers posted pro-Iran messages comparing the war in Iran to U.S. involvement in Vietnam during the 1960s.
Scale of the Breach
Of the 34,000 accounts affected, about 20,000 were breached, meaning hackers gained access to the account holders' email addresses, phone numbers, birth dates, and other personal data. Internal documents show that more than 3,500 of the affected accounts had their user names changed by the attackers.
Meta stated that it could not determine exactly what information was viewed or stolen by the attackers. The company said it has notified affected users and restored access to compromised accounts.
The vulnerability was first reported by 404 Media earlier this month. The New York Times obtained internal Meta documents that detailed the scope of the breach.
Stay updated
Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.
Broader Implications for AI Security
The incident highlights a growing concern as companies deploy AI chatbots for customer service and other sensitive functions. Meta has been integrating AI tools across its platforms, including Instagram and Facebook, to automate tasks such as password resets and account recovery. Security experts have warned that such systems can be exploited if not properly designed with verification safeguards.
Meta, the parent company of Instagram, has faced previous security incidents, but this is one of the first major breaches linked directly to an AI-powered tool. The company has not disclosed whether it will change its approach to AI-based customer service in the wake of the incident.
The bug was discovered in March, meaning it existed for several months before Meta patched it. Hackers exploited it to target a wide range of accounts, from high-profile political figures to businesses. The Obama account, which had not posted in nearly a decade, was likely chosen for its visibility and potential for disinformation.
Meta's Response
In a statement, Meta said: "We have fixed this bug and secured the affected accounts. We are working with law enforcement and have taken steps to prevent this from happening again." The company did not provide details on how the fix was implemented or whether any attackers have been identified.
The breach underscores the risks of relying on AI systems for critical account management functions without robust authentication checks. As AI chatbots become more common in customer service, companies will need to balance convenience with security.
Related on Neura Market
- AI Chatbots Directory, Explore top AI chatbot platforms and their security features.
- Cybersecurity Tools Marketplace, Find tools to protect your digital assets and prevent breaches.
- Social Media Management Automation, Automate your social media accounts safely with trusted solutions.