Instagram AI Chatbot Vulnerability Allowed Account Takeovers, Including Barack Obama's Former Profile

Instagram has confirmed it has resolved a security flaw in its AI-powered support chatbot that allowed unauthorised account takeovers. The issue reportedly enabled individuals to change passwords and link new email addresses to other users' accounts by spoofing their geographical location.

High-Profile Compromises

Among the accounts reportedly affected was a verified Instagram profile previously utilised by former US President Barack Obama during his time in office. This account allegedly posted pro-Iran content following the compromise, before Instagram recovered it. While the full extent of the vulnerability's exploitation remains unclear, security researcher and former Meta employee Jane Manchun Wong also reported her account password was changed without her knowledge, describing the incident as 'quite concerning'.

Exploiting AI for Access

Demonstrations shared on social media, including by cybersecurity researcher Dark Web Informer, illustrated the exploit. Individuals would use a Virtual Private Network (VPN) to appear in the legitimate account holder's location, then engage Instagram's Meta AI support assistant. By requesting to link a new email to the target account and send a verification code, the bot complied, providing the attacker with a password reset link upon verification of the new email address.

This incident amplifies existing concerns regarding the security implications of increasingly sophisticated and pervasive AI systems. Critics highlight the apparent lack of human support for users experiencing account compromises, with one user noting the irony of an AI system being exploited while human assistance remains inaccessible. Meta, Instagram's parent company, has faced scrutiny over its user support mechanisms, particularly following significant workforce reductions amidst substantial investment in AI development.