Hackers exploited Meta's AI support chatbot to take over Instagram accounts by tricking it into changing associated email addresses. The vulnerability allowed password resets without two-factor authentication after matching locations via VPN. Meta resolved the issue with an emergency patch on May 29.
The exploit involved starting a password reset and prompting the chatbot to update the email on targeted accounts. Security researchers reported the method active since February and widely discussed on Telegram since March. High-profile accounts compromised included the Barack Obama White House account, which posted pro-Iranian images, and the Chief Master Sergeant of Space Force account, along with others like Sephora and short handles valued above $1 million on the gray market.
