Instagram has resolved a security issue that allowed multiple users’ accounts to be hacked. The attack appears to rely on tricking Meta’s proprietary AI-powered support chatbot into granting access to victims’ accounts.
Over the weekend, multiple users on Reddit claimed their Instagram accounts had been compromised, and many users on X warned of similar account hijackings. The compromised accounts include the White House Instagram handle from the Obama administration, which appears to have been inactive since 2017. John Bentivegna, Chief Master Sergeant of the U.S. Space Force, explains:
Security researcher Jane Wong said her Instagram account was also compromised.
“My password had been changed without my knowledge and I had multiple attempts to reset it all yesterday,” Wong said. “I’m quite worried.”
A video posted on X showed the step-by-step process of hacking someone’s Instagram account. The hackers allegedly used a VPN to disguise their target’s estimated location to avoid Instagram’s automatic account protections. The hacker then initiated a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. You can see that the chatbot sends a verification code to the email address provided by the hacker. The hacker then shares the verification code with the chatbot. This will cause the chatbot to display a “Reset Password” button. The hacker enters a new password and takes over the victim’s account.
inquiry
Do you have more information about these Instagram hacks? Or are there other flaws affecting Instagram? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device or network on Signal (+1 917 257 1382), Telegram and Keybase @lorenzofb, or email.
TechCrunch was able to confirm that the hacker’s public email mailbox seen in the video did indeed receive the verification code.
This attack was based on the fact that the hacker did not need to take over the legitimate email address linked to the victim’s Instagram account at any point.
In a response to Wong’s posts and others, Instagram spokesperson Andy Stone said Monday that the issue has now been resolved. It is unclear how many Instagram users had their accounts compromised.
Meta did not immediately respond to TechCrunch’s request for comment.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
