Staff Reports
Hackers have again shown how fragile Big Tech’s promises can be. This time attackers used Meta’s own AI support chatbot to take over high-profile Instagram accounts — including the archived Obama White House profile — by simply tricking the bot into swapping recovery email addresses. Meta says it patched the problem and is “securing impacted accounts,” but the incident raises hard questions about giving automated systems the keys to the kingdom.
How the AI-support trick worked
Researchers say the method was frighteningly simple. An attacker would appear to be in the account owner’s area via a VPN, open Meta’s AI Support Assistant, and ask it to add a new email for a target username. The bot then provided a verification code to the attacker’s email and walked through a password reset flow that sometimes bypassed two‑factor protections. Videos and screenshots of the step-by-step abuse circulated on Telegram, showing the exact conversational prompts used to seize accounts.
Meta’s response: patch issued, few answers
Andy Stone, Vice President of Communications at Meta, posted that the issue was resolved and impacted accounts are being secured. Meta says it pushed an emergency fix over the weekend after researchers flagged the flaw, but the company has not disclosed how many profiles were hit or when the risky permissions were first granted to the AI. Victims also report trouble getting human help — many found they couldn’t escalate the problem once the AI flow was the official route for account recovery.
Why this matters for security and national safety
This isn’t just another social media headache. The accounts reportedly targeted include major brands, researchers, the Space Force’s senior enlisted leader, and the archived Obama White House Instagram. That mix shows attackers aren’t picky; they want influence and attention. When automated systems are allowed to change account recovery details without robust checks or human review, attackers can chain simple steps into a full takeover. That creates an obvious national security risk if foreign-linked actors repurpose official or military‑adjacent accounts for propaganda.
What should be done next
Meta’s patch is a start, but regulators and Congress should step in before the next AI-enabled screwup. Companies must never hand full authority for sensitive security functions to bots without strict human oversight, strong out‑of‑band verification, and transparent incident reporting. For conservatives worried about Big Tech power, this is a clear reminder: we need accountability, not slogans. If Silicon Valley wants to automate everything, fine — but don’t give machines the master keys and then expect the country to shrug when chaos follows.
