The AI Logic Flaw
A vulnerability in Meta’s AI powered account recovery assistant on Instagram enabled attackers to take over high value accounts without any traditional hacking or system intrusion. Security researchers ZachXBT and Dark Web Informer publicly disclosed that threat actors could manipulate the chatbot by simply requesting password reset codes to be sent to unauthorized recipients. The AI failed to enforce identity verification checks before processing the request, meaning anyone who knew a target’s username could initiate a takeover attempt.
The exploit did not involve a breach of Meta’s backend servers. Instead, the flaw existed in the AI logic layer, which lacked proper rate limiting and authentication mechanisms. Meta confirmed that no internal systems were compromised, but acknowledged the AI had insufficient controls around account recovery workflows.
Impact on High Profile Accounts
Attackers deliberately targeted premium, short handle Instagram accounts such as @hey and @jowo, which are known in underground markets for their high resale value. These coveted usernames, collectively valued at over $1 million, were quickly sold through private Telegram channels before Meta could intervene. Dark Web Informer tracked stolen account listings circulating in real time, highlighting how financially motivated actors exploit platform vulnerabilities for quick profit.
Meta patched the vulnerability shortly after reports surfaced. The company stated it fixed an issue allowing an external party to request password reset emails for some users, and assured that accounts remain secure. However, the incident underscores the growing risk of AI powered account recovery tools being weaponized when proper safeguards are absent.
Source: Cyber Security News
