Overview
- Attackers manipulated Meta’s AI support assistant to add attacker-controlled email addresses and obtain verification codes, which let them reset passwords and take over Instagram accounts.
- Videos and step-by-step posts that circulated over the weekend showed the workflow in action and TechCrunch confirmed a demonstration email received an Instagram verification code.
- Meta’s communications head Andy Stone said the company patched the flaw and is securing impacted accounts, but the total number affected remains unknown.
- Some developers and users reported account takeovers continued after the initial fix and alleged Meta removed only a front-end support button while back-end endpoints may have remained reachable.
- Security researchers say multi-factor authentication largely blocked the attack, attackers used VPNs and fake or AI-generated selfie videos to try to pass checks, and the incident raises questions about oversight after Meta’s recent staff cuts and fast AI rollouts.