Meta's AI-powered support system has been exploited by hackers to hijack over 20,000 Instagram accounts, highlighting a critical vulnerability in the company's account recovery process. The attack allowed unauthorized parties to reset passwords and gain control of accounts without two-factor authentication (2FA) enabled.
What Happened
The incident occurred when hackers exploited a bug in Meta's High Touch Support (HTS) tool, an AI-assisted support system designed to help users regain access to locked Instagram accounts. The HTS tool allows users to request password reset links through the support workflow when they lose access to their accounts.
According to Meta, the vulnerability was discovered on May 31st, and the company "resolved" the incident on June 1st. However, it is unclear how long the attack had been ongoing before it was detected. The notice filed with the state of Maine lists April 17th as the incident date, indicating that the first unauthorized access may have occurred more than six weeks earlier.
Meta's associate general counsel for incident response legal, Amber Hannah, explained in a data breach letter that the bug allowed hackers to obtain password reset links by providing an email address not previously associated with the account. The system incorrectly sent the password reset link to the unassociated email rather than rejecting the request, allowing unauthorized third parties to receive the link and gain access to the account.
Background and Context
The High Touch Support (HTS) tool is an AI-powered support system designed to help users regain access to locked Instagram accounts. The tool allows users to request password reset links through the support workflow when they lose access to their accounts. However, the bug in the HTS tool allowed hackers to exploit this process and gain unauthorized access to thousands of Instagram accounts.
The attack was carried out by hackers who used Meta's AI-powered support system to reset passwords and gain control of accounts without 2FA enabled. The attackers could have obtained profile information, email addresses, phone numbers, dates of birth, direct messages, social media posts, and information on account activity and interaction history.
Meta has confirmed that the breach relates to "a vulnerability in an AI-assisted account recovery system for Instagram," which was exploited to "perform password resets on Instagram user accounts." The company has disabled its AI support tool and removed the buggy code path, while invalidating any password reset links generated using the exploit.
Why it Matters to the Industry
The attack highlights a critical vulnerability in Meta's account recovery process, which could have significant implications for the adult industry. Many platforms rely on AI-powered support systems to help users regain access to locked accounts, and this bug demonstrates that these systems can be exploited by hackers.
The incident also raises concerns about data security and the potential for unauthorized access to sensitive information. The attackers could have obtained profile information, email addresses, phone numbers, dates of birth, direct messages, social media posts, and information on account activity and interaction history.
Furthermore, the attack demonstrates that hackers can exploit AI-powered support systems to gain control of accounts without 2FA enabled. This highlights the importance of implementing robust security measures to prevent unauthorized access to sensitive information.
What Comes Next
4,072 page views
