Meta’s Instagram Hack Exposes Critical AI Security Flaw On June 3, a sophisticated Instagram hack exploited a vulnerability in Meta’s AI-powered support chatbot, allowing attackers to hijack high-profile accounts including the dormant Obama White House page, beauty retailer Sephora, and a senior U.S. Space Force official. The breach occurred over the weekend, with hackers manipulating the chatbot into resetting account credentials without proper identity verification, a tactic known as "prompt injection." Cybersecurity experts described the incident as a "foundational architecture failure," noting that Meta’s AI system was granted privileged actions without adequate access controls. The attack underscored broader risks as tech companies automate sensitive functions, such as account recovery, while AI systems remain vulnerable to manipulation. Former Meta employee and security researcher Jane Wong, whose own accounts were compromised, reported unauthorized password changes and multiple reset attempts before regaining access. Meta confirmed the issue was resolved and stated it was securing affected accounts, though details about the hackers remain unknown. The incident rattled investors, contributing to a more than 5% drop in Meta’s shares as concerns grew over the company’s aggressive AI integration amid workforce reductions and massive infrastructure spending up to $145 billion. The hack follows previous AI-related missteps, including a Reuters investigation revealing Meta’s chatbots lacked safeguards against inappropriate interactions with minors or spreading misinformation. While Meta has since introduced parental controls, experts warn that such exploits are not unique to the company. As AI agents handle increasingly complex tasks, hackers are targeting them with scams, raising questions about the readiness of automated systems to manage security-critical functions. The attack highlights the growing challenge of balancing AI-driven efficiency with robust safeguards, as prompt injection and similar techniques become more prevalent across the tech industry.

Meta Confirms 20,000 Instagram Accounts Breached via AI Support Assistant Flaw Meta disclosed a security breach affecting over 20,000 Instagram accounts after hackers exploited a vulnerability in its AI-powered support assistant. The incident, which began on April 17 and was discovered on May 31, allowed attackers to bypass email verification during password resets, gaining unauthorized access to accounts. The flaw stemmed from a bug in a secondary code path that failed to confirm whether the email address provided for a password reset matched the account owner’s. Hackers used VPNs to appear in the same country as their targets, then tricked Meta’s AI assistant into linking their own email addresses to the victims’ accounts. Once linked, the attackers received password reset links, enabling full account takeovers. The attack only succeeded on accounts without two-factor authentication (2FA) enabled. Among the high-profile accounts compromised were those belonging to the Barack Obama White House, the Chief Master Sergeant of the U.S. Space Force, and Sephora. While Meta stated it is unaware of any personal data being accessed, the breach could have exposed contact details, dates of birth, profile information, direct messages, account history, and linked service data. Meta responded by disabling the AI support tool, removing the vulnerable code, and invalidating existing password reset links on the day the breach was identified. The company also notified regulators and filed a breach notice with Maine’s attorney general, confirming 20,225 affected individuals. Additionally, Meta is reviewing similar account recovery processes across its platforms to prevent future vulnerabilities. The incident highlights growing concerns about AI’s role in cyberattacks, as hackers increasingly leverage automated tools to exploit security gaps with minimal human intervention. Meta’s AI support assistant, introduced in March 2024 to streamline account recovery, became an unintended vector for the breach.

International beauty retailer Sephora has admitted to a breach of its online users' data, affecting customers in Singapore as well as in other countries including Malaysia, Indonesia, Thailand, Philippines. Some personal information has been exposed to unauthorized third parties, including first and last name, date of birth, gender, e-mail address, and encrypted password. Determining that no credit card information was accessed and that the company had no reason to believe that any personal data has been misused. The security incident was limited to a database serving our Southeast Asia, Hong Kong SAR, and Australia/New Zealand customers who used their online services.