Instagram has fixed an account security issue. According to TechCrunch, attackers could manipulate Meta's AI chatbot to add new email addresses to other people's accounts, trigger password resets, and ultimately take over the accounts.

Multiple users reported that their accounts were hacked.

The incident garnered attention over the weekend. Multiple users on Reddit and X reported their accounts were compromised, including the Obama administration's White House Instagram account and the account of U.S. Space Force Chief of Staff John Bentinvegna. Security researcher Jane Wong also stated that her account's password was changed and it was taken over without her knowledge.

Attack process bypasses original email control

The report indicates that the attackers first used a VPN to disguise the target's location to reduce the probability of triggering the platform's automatic risk control measures. Subsequently, the attackers initiated a conversation with the Meta AI Support Assistant, requesting that a new email address be added to the target account.

In the demonstration video, the customer service chatbot sends a verification code to an email address provided by the attacker. The attacker then returns the verification code to the chatbot, and a "Reset Password" button appears. After this step, the attacker can set a new password and gain control of the account.

TechCrunch stated that they verified the email address publicly shown in the video and confirmed that the email address did indeed receive the verification code. Throughout the process, the attacker did not need to first gain control of the victim's originally linked email address.

Meta says the vulnerability has been fixed.

Instagram spokesperson Andy Stone stated on Monday in response to a related post on social media that the issue has been fixed. However, Meta has not yet specified how many users were affected.

Based on the disclosed information, this incident exposes the vulnerability of AI-powered customer service tools to account takeover if the identity verification process is inadequate, once they gain the authority to modify critical account information. Meta did not immediately respond to TechCrunch's request for further comment at the time of publication.