In recent days, several high-profile Instagram accounts have been hacked, including the old White House account with more than 2.4 million followers, the account of a senior official in the U.S. Space Force, and the account of the beauty brand Sephora.
Cybersecurity experts say hackers gained access to these accounts by tricking an AI-powered chatbot operated by Meta, the parent company of Instagram.
Groups on the Telegram app are circulating videos that illustrate the method used by the hackers, showing one of them asking the Meta bot to reset the password of a targeted account, while sending the verification code to a new email address belonging to the hacker instead of the account owner's original email address.
When the chatbot asked the hacker to confirm his identity via a selfie video, the hacker used a fake video created using artificial intelligence tools. After the deception was successful, he was able to change the email address associated with the account and gain control of it.
Experts liken this method to what is known as "social engineering," where the system is deceived rather than the people.
Even more alarming is that this breach bypassed the "two-step verification" technology designed to protect accounts.
Meta did not respond to the report, but its head of communications wrote on the X platform on Monday that "the issue has been resolved, and work is underway to secure the affected accounts." However, the company did not disclose the number of accounts affected.
This incident has raised widespread concern about social media platforms' reliance on chatbots instead of human employees for sensitive tasks, such as password resets.
Last March, Meta launched this feature, saying it would help users resolve account issues without having to search for answers. However, users whose accounts had been compromised complained that there was no way to contact a real employee to resolve the problem.
