Meta AI Support Hack Compromises 20,000 Instagram Accounts
Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords. The threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.
Exploiting the HTS Flaw
By exploiting the fact that HTS didn't verify whether email addresses were associated with the targeted Instagram accounts, the attackers obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled. According to Amber Hannah, Meta’s associate general counsel for incident response legal, "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account."
This allowed unauthorized third parties to receive a password reset link for accounts they did not own. Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA).
Response to the Breach
After a wave of user reports regarding these attacks hit social media platforms, Andy Stone, Meta's vice president of communications, replied to one of the affected users, stating that the "issue has been resolved, and we are securing impacted accounts." Meta has also contacted affected users to inform them of the breach and has enrolled all potentially stolen accounts into a mandatory security checkpoint.
Meta has no information on what personal information might have been accessed or stolen from the compromised accounts, but noted that the attackers could've gained access to affected Instagram users' contact information (email address and/or phone number), dates of birth, social media posts and content (photos, videos, stories), direct messages and communications, account activity and interaction history, profile information (biography, profile photo), as well as other connected accounts and linked services.
Preventative Measures
After discovering the incident, the company disabled the HTS AI-powered support system and all password reset links it had generated to ensure that all future hijack attempts part of the same malicious campaign would be blocked. Meta will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated.
Additionally, Meta is conducting a comprehensive review of similar account recovery flows across Meta’s platforms to identify and remediate any potential issues. Prior to this incident, Ireland also fined Meta $264 million over a 2018 data breach that exposed the names, email addresses, phone numbers, and physical locations of over 29 million Facebook accounts.
- Meta was also fined €265 million ($275.5 million) in November 2022 for failing to protect Facebook users' data from scrapers.
- Another €91 million ($100 million) fine was imposed for storing the passwords of hundreds of millions of users in plaintext.
The breach occurred on April 17, and Meta has since taken steps to secure the affected accounts and prevent further unauthorized access.
Source: BleepingComputer