GitHub

Meta's proprietary AI chatbot has helped hackers take over more than 20,000 Instagram accounts. The vulnerability became known earlier this week, but now Meta says how many victims there were. The chatbot allows hackers to easily change the email address of an Instagram account, after which they can take over the account.

The hack allowed 20,225 accounts to be taken over, Meta confirmed to the American state of Maine. The hack came to light earlier this week, but it was not yet known how many victims there were. Meta says that this number is an 'upper limit', because it may also include accounts where the user logged in themselves and not the hacker.

The attack worked with Meta's AI chatbot that helps users resolve issues such as being locked out of the account. That chatbot didn't have many checks in place to verify that the user was actually allowed to access the account. Hackers only had to use a VPN to convince the chatbot that they were in the same region as the account user.

They then asked the chatbot for help because they had supposedly forgotten an account password. They asked Meta AI to change the email address of the account. The chatbot adjusted the email address accordingly, after which they changed the password via that new address. Accounts without 2fa could easily be taken over.

The hackers mainly targeted accounts with attractive usernames of up to four characters, which they could then sell. They also hacked or attempted to gain access to well-known and major accounts, such as the White House account of Barack Obama, a senior advisor to the US Space Force and security researcher Jane Wong.

Meta discovered the error on May 31 and took the chatbot offline. The company wants to adjust the chatbot so that users cannot simply change their email address.