en.Wedoany.com Reported - A vulnerability in Meta's AI-assisted account recovery system has led to the hijacking of 20,225 Instagram accounts. Attackers exploited a flaw in the company's High Touch Support (HTS) system to perform unauthorized password resets on accounts.

High Touch Support (HTS) is Instagram's AI-based account recovery system designed to help users regain access to locked accounts. Users can request a password reset link through the support workflow when they are unable to access their accounts.

Amber Hannah, Deputy Associate General Counsel for Meta's Incident Response Legal team, explained that the tool itself functioned normally and achieved its intended purpose, but an error in a separate code path caused the system to fail to properly verify whether the email address provided when requesting a password reset matched the email address associated with the user's Instagram account. When an individual provided an email address not previously associated with the account, the system erroneously sent the password reset link to that unassociated email address instead of rejecting the request. This allowed unauthorized third parties to receive password reset links for accounts that did not belong to them. After resetting the password, if the account holder had not enabled two-factor authentication (2FA), the unauthorized party could log into the account.

Meta stated that it discovered the vulnerability on May 31. A document published on the Maine Attorney General's website lists April 17 as the incident date, indicating that the first unauthorized access may have occurred more than six weeks earlier. The company said there is no evidence of what information, if any, was accessed from the compromised accounts. Potentially exposed data from affected accounts includes contact information (such as email addresses and phone numbers), dates of birth, photos, videos, stories, direct messages, account activity, profile information, and linked services.

Last week, reports emerged on Reddit, X, Telegram, and security communities that Instagram accounts were being hijacked through Meta's AI support workflow. The simplicity of the attack was striking. Videos shared on Telegram showed attackers using a VPN service to place themselves in roughly the same geographic area as the target account, then asking the chatbot to link the account to an email address they controlled.

According to security journalist Brian Krebs, attackers targeted high-profile Instagram accounts, including the Obama White House account and the U.S. Space Force Chief Master Sergeant account, as well as short, high-value usernames that could be resold on the black market.

After discovering the vulnerability, the company disabled the affected AI-assisted support tool, invalidated password reset links generated through the flawed workflow, required additional identity verification for potentially affected accounts, and instructed affected users to reset their passwords. Meta stated that before relaunching the tool, it will fix the identity verification check at the Instagram recovery entry point to ensure that email addresses are properly verified against existing account information before initiating any password reset, and is conducting a comprehensive review of similar account recovery processes across Meta platforms to identify and fix potential issues.

Meta launched its AI support assistant in March, claiming it was rigorously testing each AI system, establishing safeguards, and evaluating its performance to prevent bias and ensure consistency and accuracy. The negative effects of outsourcing account recovery to AI arrived faster than expected.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com