Instagram’s Account-Recovery Chatbot Bug Hit 20,225 Users | PCMag

The AI-assisted chatbot flaw that let hackers easily hijack Instagram accounts affected more than 20,000 users and has been exploited since mid-April. Parent company Meta quietly disclosed the figure in a data breach filing with Maine’s attorney general on Friday, which says the incident affected 20,225 people. It also notes that hackers have been exploiting the flaw since April 17. (Credit: Maine.gov) Meta’s 3-page report to Maine also confirms the problem involved the “AI-assisted account recovery system for Instagram.” The hijacking technique went viral on Sunday, May 31, first on the chat app Telegram and then on social media. Normally, Meta’s account recovery chatbot is merely supposed to send a password reset link to the legitimate owner’s email address if the user is locked out. But users on Telegram discovered they could simply ask the support bot to send the password reset link to any email address, including one owned by a hacker. The only requirement was to initiate the AI-assisted chatbot recovery from an IP address in the same region as the account holder.  Meta’s report confirmed the flaw and says, “due to a bug in a separate code path, the system did not properly verify that the email address
Read More