Instagram alerts users targeted in ongoing Meta AI chatbot account takeover attacks

A campaign that relied on Meta's AI chatbot to take over Instagram accounts continued after the company said the issue had been resolved. Meta has worked to secure the targeted accounts and alert victims. Over the weekend hackers claimed to be exploiting the chatbot to take over several high profile Instagram accounts. At the same time many people complained on social media that their accounts had been hacked, some with unique short user profile handles. TechCrunch has seen examples of allegedly hacked handles featuring common forenames or names of countries, which can be resold in a gray market for so called OG handles. Other victims appeared to be the dormant Obama White House account, which Meta disputed, and the account of the U.S. Space Force chief master sergeant John Bentivegna. Hackers simply told the chatbot that they were the owners of the target accounts and asked the bot to link the accounts to emails they controlled. The chatbot complied, allowing the hackers to reset the target account passwords and take control. No Meta employees or contractors were involved in the chat. On Monday Meta spokesperson Andy Stone said the issue that did happen has already been fixed. On Tuesday more Instagram users claimed to have had their accounts hacked. TechCrunch has seen discussions among members of a Telegram channel where the hacking technique had been publicized. Participants claimed to still be able to exploit the chatbot and were advertising apparently hacked handles for sale. In a later post on X Stone said some people may receive password reset notifications and some may be asked security questions when they try to log into their accounts. Stone told TechCrunch that Meta secured affected accounts on Monday then began sending password reset emails. Stone would not say how many users were hacked. Several people have reported that Meta has begun notifying users that they were being targeted. Victims publicly reported receiving emails from Instagram warning them that the company had detected some suspicious activity that suggests the account may have been compromised. The message said the company took measures to secure the account and asked the user to reset the password. Meta announced in March that it was implementing AI to automate its support to users. The company said the AI powered chatbot was designed to resolve account issues from start to finish and would have the ability to reset a password securely.