Instagram has resolved a security issue that allowed multiple user accounts to be compromised. The attack appeared to rely on tricking Meta’s AI support chatbot into granting access to a victim’s account.
on the weekend, several users on Reddit claimed that their Instagram accounts had been hacked and a number of users at X warned of similar account breaches. Hacked accounts include the Instagram handle for Obama-era White Housewhich appears to be inactive as of 2017; and the account of US Space Force Chief Sgt. John Bentinvegna.
Security researcher Jane Wong said her Instagram account was also hacked.
“The password was changed without my knowledge and I have been receiving different password reset attempts throughout the day yesterday.” he said Wong. “Quite disturbing.”
A video posted on X showed the step by step process to hack someone’s Instagram account. The hacker reportedly used a VPN to spoof the targets’ supposed location to avoid triggering Instagram’s automated account protection. The hacker then opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker. The hacker then shares the verification code with the chatbot, which prompts the chatbot to display a “Reset Password” button. The hacker enters a new password and takes over the victim’s account.
Contact us
Do you have more information about these Instagram hacks? Or other flaws affecting Instagram? We would love to hear from you. From a broken device and network, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
TechCrunch was able to verify that the hacker’s public email mailbox, which was featured in the video, actually received the verification code.
The attack was based on the fact that at no point did the hacker have to take over the legitimate email address associated with the victims’ Instagram account.
On Monday, Instagram spokesman Andy Stone said an answer in the post by Wong and others that the problem had now been fixed. It’s unclear how many Instagram users had their accounts improperly accessed.
Meta did not immediately respond to TechCrunch’s request for comment.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
