Over the weekend, hackers claimed to have successfully exploited Meta's AI chatbot to gain control of numerous popular Instagram accounts. Simultaneously, many users complained on social media about their Instagram accounts being stolen, including accounts with short and unique usernames.
TechCrunch noted instances of compromised accounts using popular or country names. These accounts were then resold as collectibles on the black market specializing in original (OG) names. Other victims of this campaign appear to include an inactive White House account from former President Barack Obama's administration (although Meta has denied this).
These attacks were so simple that calling them cyberattacks might be overstating the perpetrators' role and failing to adequately address Meta's failure to prevent such rudimentary methods of hijacking user accounts.
Hackers simply inform Meta's AI chatbot that they own the target account, then request the system to link that account to an email address they control. The chatbot executes the request correctly, allowing the attacker to reset the password and gain control, even locking the victim's access. No Meta employees or contractors are involved in this verification process.
On June 1st, Meta spokesperson Andy Stone confirmed: "The incident occurred and has now been fixed." However, the following day, more Instagram users reported their accounts being compromised.
Meanwhile, TechCrunch tracked discussions on a Telegram channel where the attack technique was shared. Members there claimed to still be able to exploit Meta's chatbot and openly sell the compromised accounts as of the time this article was written. It is difficult to definitively determine whether all these accounts were attacked using the same method.
In a subsequent post on platform X, Stone stated: "Some people may receive password reset notifications and some may be asked to answer security questions when trying to log into their accounts."
Speaking to TechCrunch via email, Stone confirmed that Meta secured the affected accounts on June 1st and subsequently began sending password reset emails. However, he declined to disclose the number of users affected.
Many users reported that Meta had started sending warning notifications. Victims publicly shared receiving emails from Instagram stating that the company had "detected some suspicious activity indicating that your Instagram account may have been compromised." The notification also stated that the company had implemented account security measures and asked users to reset their passwords.
As 404 Media previously noted, Meta announced in March that it would be using AI to automate its user support process. The company claimed its chatbot "is designed to resolve account issues from start to finish" and would be able to "securely reset your password."
This demonstrates that chatbots can perform tasks that previously required human intervention, given the importance of security systems.
Over the years, the market for buying and selling OG usernames has grown significantly. However, in the past, hijacking these accounts required more sophisticated strategies, such as impersonating victims, hijacking phone numbers, or bribing insiders at telecommunications providers.
This time, the hackers simply made a request, and Meta's chatbot followed it.
(According to TechCrunch)
Source: https://vietnamnet.vn/meta-gui-email-canh-bao-den-nguoi-dung-instagram-2522533.html
![[Video] Sunset at Lap An Lagoon – Where the sun sets over the fishing nets](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2026/05/31/1780192137701_beach-landscape-sea-water-nature-grass-745871-pxhere-com.jpeg)
Comment (0)