Hundreds of high-profile Instagram accounts were reportedly taken over after hackers exploited a security weakness in Meta’s AI-powered account recovery assistant.
The attackers tricked the AI into linking their own email addresses to targeted accounts by falsely claiming they had lost access to the original email. Once the new email was added, they were able to reset passwords and lock out the real owners.
To avoid security checks, the hackers used VPNs to appear as if they were in the same location as their victims. In some cases, they also used AI-edited photos to pass selfie verification requests.
The flaw reportedly allowed attackers to bypass two-factor authentication, and some victims said they never received warnings about password reset attempts.
Impacted accounts included the Obama White House Instagram account, beauty brand Sephora, and Space Force Chief Master Sergeant John Bentivegna. Stolen accounts were quickly sold on dark web marketplaces.
Meta’s vice president of communications Andy Stone said that the issue has since been fixed, and the exploit no longer works. The company has not said how many accounts were affected.