Meta, owner of Instagram, Facebook and WhatsApp, announced it resolved a major security flaw in its artificial intelligence support assistant that allowed hackers to bypass security protocols and take over premium Instagram accounts.
"This issue has been resolved and we are securing impacted accounts," Andy Stone, a communication official of Meta said on US based social media platform X on Tuesday.
The critical vulnerability, which circulated on Telegram channels before being exposed on the social media platform X, permitted bad actors to hijack accounts without needing access to the victim's email address or phone number.
The official White House Instagram page associated with former US President Barack Obama was also hacked, according to a Monday report by entertainment news outlet TMZ.
The breach was discovered Sunday after several unusual posts appeared on the account
The security exploit required attackers to use a virtual private network to match the geographic location of the target user to bypass automated regional safeguards.
The perpetrator would then trigger a password reset option to open a chat window with the Meta AI Support Assistant, a tool launched globally earlier this year to automate account recovery and technical support.
The hacker simply instructed the automated system to change the registered email address of the targeted handle to their own address, prompting the chatbot to send an 8-digit verification code to the attacker.
After entering the code back into the chat interface, the system generated a password reset link, enabling the attacker to set a new password and lock out the legitimate account owner.
The cyberattack campaign compromised several high-profile handles over the weekend, including the inactive Barack Obama White House account, global beauty retailer Sephora, and the personal account of US Space Force Chief Master Sergeant John Bentivegna.
The compromised Obama White House account, which had not seen activity since 2017, was briefly defaced with pro-Iranian images and messages before Meta intervened.
