**
In a startling revelation, hackers have successfully infiltrated several high-profile Instagram accounts, including the official Obama White House account, by manipulating Meta’s AI-powered support chatbot. This breach has raised urgent questions about the reliability of AI-driven security measures—especially those related to password management. Meta has confirmed the issue and stated that it has taken steps to secure the impacted accounts.
The Breach Unveiled
The infiltration was first reported by 404 Media, which detailed how hackers exploited Meta’s AI assistant to hijack accounts belonging to notable figures and organisations, such as Sephora and the US Space Force chief master sergeant, John Bentivegna. As the situation unfolded over the weekend, many everyday users also voiced similar concerns, sharing their experiences on platforms like Reddit and X (formerly Twitter).
Videos and screenshots showcasing the hacking methods circulated on Telegram, illustrating a hacker instructing Meta’s AI assistant to change the linked email address of a targeted account. The AI bot, seemingly unaware of the malicious intent, confirmed that a verification code had been sent to the new email and prompted the hacker to input this code. After entering the correct digits, the hacker was then granted access to reset the account’s password effortlessly.
What’s particularly alarming is that at least one hacker employed a virtual private network (VPN) to mask their actual location, successfully bypassing Meta’s security protocols.
Meta’s Response
In light of the breach, Meta released a statement on Monday asserting, “This issue has been resolved, and we are securing impacted accounts.” However, the company has not disclosed the total number of accounts affected, leaving many to wonder about the extent of the damage.
This incident has prompted a critical examination of the security implications of integrating AI into user support systems. As reported, some stolen account handles began appearing for sale on Telegram, further emphasising the potential risks associated with AI-driven processes.
The Rise of AI Security Measures
Meta has been aggressively investing in AI under the stewardship of its founder, Mark Zuckerberg, who has allocated a staggering $145 billion (£108 billion) towards AI infrastructure, including data centres, this year alone. Earlier this year, Meta rolled out its AI support assistant across Facebook and Instagram, promoting it as a revolutionary tool capable of handling various user requests, from reporting scams to resetting passwords.
A press release heralding this new feature described it as a significant leap forward in enhancing user support on the platforms. However, the recent breach has cast a shadow over this optimism, leading many to question whether such sophisticated AI systems are sufficiently secure against exploitation.
The Broader Implications
Aiden Sinnott, a principal threat researcher at Sophos, characterised the Meta incident as a “prompt injection” attack—where hackers manipulate AI chatbots into executing harmful actions. Sinnott warned that as more online services adopt AI chatbots without adequate security measures, incidents like this are likely to proliferate.
Zuckerberg has also entertained ambitious visions for AI, suggesting that these tools could eventually replace human therapists in mental healthcare settings. Such claims, while innovative, have raised eyebrows among mental health professionals concerned about the potential for inappropriate advice being dispensed by AI.
Why it Matters
As technology continues to evolve, so too does the complexity of cyber threats. This incident serves as a stark reminder of the vulnerabilities inherent in relying on AI for sensitive security tasks. The implications extend beyond individual users, affecting businesses and institutions that trust these systems with their digital identities. It’s crucial for organisations to reassess their security frameworks and ensure that AI tools are equipped with robust safeguards to mitigate such risks, ultimately protecting the integrity of user accounts and sensitive information.
