A support chatbot was supposed to help Instagram users regain access to their accounts – but did exactly the opposite. It gave anyone access to poorly secured Instagram accounts, as the company has now announced. Around 20,000 accounts are affected. Basically, any account that did not have two-factor authentication activated was at risk.
Read more after the ad
This gave attackers access to all the information stored in the accounts, such as date of birth, personal messages, pictures, etc. Access to other linked meta accounts, such as on Facebook, was also possible.
Chatbot opens the door to third-party accounts
A video on As can be seen in the video, the only other requirement was a VPN connection over the target’s approximate geographical region in order not to arouse Meta’s suspicion.
The app then offers to send a code to reset the password to the email address provided. Instead, the attacker clicks on “Get support” in the top left to get to Meta’s AI chatbot. He now asks the user to send the reset code to a new email address in order to immediately link it to “his” account – or that of the target person. The chatbot promptly does as it is told, the attacker in turn sends the code received to the chatbot and can then change the password of the account in order to gain access to it.
Trade in coveted usernames
The attorney general of the US state of Maine published Meta’s report on the security breach. A total of 20,225 accounts were affected, the rightful owners of which still need to be informed. 404 Media reports on several security researchers who have already warned about the scam in recent weeks. Particularly popular usernames have already become commodities in cybercriminal circles. In relevant Telegram groups, price lists with user names were shared, which, for example, consist of a particularly few letters or a meaningful word, and which could be captured using the scam.
The security breach comes at about the same time as the hacks of prominent Instagram accounts, such as Barack Obama’s official account from his time as US President. John Bentivegna, a senior member of the US Space Force, also recently fell victim to Iranian hackers with his Instagram account.
Read more after the ad
The problems were only made possible by Meta’s new “AI Support Assistant” announced in March. With it, the company completely delegated important tasks to artificial intelligence and promised “reliable help around the clock on Facebook and Instagram – fast, effective and designed to solve account problems from start to finish.” Paradoxically, the assistant is also intended to help those whose accounts have been hacked. The gap has now been closed, several security researchers report. A spokesperson also confirmed this to 404 Media. It is said to have been a programming error. Meta takes a particularly aggressive approach to using AI and also links the performance evaluation of its employees to their use of AI. It is not known whether the developers of the “AI Support Assistant” also used AI and what kind of censorship Meta put in place for this.
Read also
(nen)
