Instagram has resolved a security issue that allowed multiple users' accounts to be hacked. The attack appears to rely on tricking Meta's proprietary AI-powered support chatbot into granting access to victims' accounts.
Over the weekend, multiple users on Reddit claimed their Instagram accounts had been compromised, and many users on X warned of similar account hijackings. The compromised accounts include the White House Instagram handle from the Obama administration, which appears to have been inactive since 2017. John Bentinbegna, Chief Master Sergeant of the U.S. Space Force, explains:
Security researcher Jane Wong said her Instagram account was also compromised.
“My password had been changed without my knowledge and I had multiple attempts to reset it all yesterday,” Wong said. “I'm quite worried.”
A video posted on X showed the step-by-step process of hacking someone's Instagram account. The hackers allegedly used a VPN to disguise their target's estimated location to avoid Instagram's automatic account protections. The hacker then initiated a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target's account. You can see that the chatbot sends a verification code to the email address provided by the hacker. The hacker then shares the verification code with the chatbot. This will cause the chatbot to display a “Reset Password” button. The hacker enters a new password and takes over the victim's account.
TechCrunch was able to confirm that the hacker's email address shown in the video did in fact receive a verification code.
This attack was based on the fact that the hacker did not need to take over the legitimate email address linked to the victim's Instagram account at any point.
In a response to Wong's posts and others, Instagram spokesperson Andy Stone said Monday that the issue has now been resolved. It is unclear how many Instagram users had their accounts compromised.
Meta did not immediately respond to TechCrunch's request for comment.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.