According to This Week in Security, Meta has notified affected users, but this incident reveals broader vulnerabilities in the field of artificial intelligence.
It seems that Meta’s AI-powered account support tools need significant improvement before they can replace human employees.
Meta is currently notifying Instagram users affected by a recent vulnerability in its AI system. As a result of the hack, attackers gained control over many Instagram accounts by tricking the company’s AI tool into granting them access.
In such situations, it is important for users to pay attention to signs of suspicious activity in a timely manner. You can read more about this in the article: How to tell if someone is trying to hack your Instagram
Additional information has also emerged about the scale of the consequences: This Week in Security reported that Meta sent notifications to 20,225 Instagram users whose accounts were targeted by this vulnerability.
The scale itself is concerning, but an even bigger problem is how this vulnerability was exploited and what that could mean for Meta’s security measures in the future.
The vulnerability itself was surprisingly simple. The hackers asked Meta’s AI-powered support bot to grant them access to other users’ accounts by requesting that confirmation codes be sent to the hackers’ email addresses.
If a user unexpectedly receives such messages or access codes, it is worth understanding what this might be related to: Why does an Instagram account confirmation code arrive?
As shown in this example posted on X by user @oracles, hackers managed to trick the chatbot into sending access codes simply by asking it to do so, with the bot offering virtually no resistance.
This is a basic security vulnerability, and Meta said it has already fixed it. However, a more serious problem is that any human moderator would have prevented this at an early stage. Meta is currently reducing its workforce in favor of AI systems that the company believes can perform these functions just as well as humans.
As a result of changes announced in the first half of the year, Meta has already cut more than 20% of its staff. This move appears to confirm repeated statements by CEO Mark Zuckerberg that Meta’s AI tools will eventually be able to replace many positions, including content moderation and account support.
Users who suspect unauthorized access to their profile should periodically check their account security: How to check who has accessed your Instagram account
Meta is investing hundreds of billions of dollars – perhaps more than $1 trillion – in AI development. As a result, the company is under increasing pressure from investors to demonstrate the value of these tools and the potential return on investment.
However, this case reveals a serious flaw in AI tools that goes beyond the obvious vulnerability used in the Instagram hack. Moreover, the conversational approach to commands given by AI bots will inevitably make them vulnerable to many similar attacks.
This is because the request process is not binary. Conversational AI tools can be instructed to perform a task in an infinite number of ways, which means blocking potential abuse is an equally endless process.
For example, Meta could close the gap in its system by configuring the chatbot not to process account access requests without the necessary identity verification. But attackers are constantly looking for new ways to bypass such restrictions.
When problems arise with account access, many users turn to the platform’s support service. These guides may be helpful: How to write to Instagram support and How to get a response from Instagram support
Since there are many ways to ask a question to an AI chatbot, Meta needs to consider all possible forms of misuse and phrasing. This is virtually impossible and may mean that Meta’s AI tools pose a significant risk for any use involving access to sensitive information.
This likely applies to many commercial AI use cases. If Meta cannot guarantee the security of its systems to partners, the prospects for further deployment of such solutions will be significantly limited.
Additionally, users should pay close attention to security notifications from the platform. You can learn more about this here: Is someone trying to log into your Instagram: notifications and security
This, in turn, will limit Meta’s ability to ever recoup its AI investments. Furthermore, it could derail the entire AI development program, at least until significant improvements are made in this area.
Thus, this is an important example of Meta’s application and a clear demonstration of the potential (or lack thereof) of its evolving AI systems.
It is worth noting separately that account security issues are becoming increasingly relevant amid changes in social media access and authorization policies. One reason for increased control is platforms’ desire to limit unauthorized viewing of content without logging in: Why Instagram doesn’t allow viewing without logging in
If you still need to contact support, it is helpful to know in advance How long Instagram support takes to respond, as response times may vary depending on the complexity of the issue.
