Meta Resolves AI Chatbot Security Flaw That Exposed High-Profile and Regular User Accounts
Key Takeaways
- ▸Hackers exploited Meta's AI chatbot to bypass two-factor authentication and reset account passwords
- ▸High-profile targets included Barack Obama's White House account, Sephora, and U.S. Space Force leadership
- ▸The exploit leveraged the chatbot's legitimate account management functions to facilitate unauthorized access
Summary
Meta has patched a critical security vulnerability in its AI chatbot that allowed hackers to hijack user accounts by exploiting the assistant's account management capabilities. According to 404 Media and The Guardian, attackers targeted high-profile accounts including Barack Obama's White House email, beauty retailer Sephora, and U.S. Space Force Chief Master Sergeant John Bentivegna. Regular users also reported similar takeovers, with some posting video evidence of the exploit.
The vulnerability allowed hackers to trick Meta's AI assistant into initiating account password reset flows. By asking the chatbot to link a new email address to a target account, the bot would send a verification code to the attacker's email rather than the legitimate account holder, effectively bypassing two-factor authentication. Once the hacker supplied the verification code in the chat, they gained access to password reset functionality, granting full account control.
"This issue has been resolved and we are securing impacted accounts," Meta said in a statement. The patch comes amid Meta's operational shift toward AI-driven customer support and content moderation, with the company deploying its chatbot for password resets, account management, and reporting abuse across Facebook and Instagram.
- Meta has patched the vulnerability and is securing impacted accounts
- The incident highlights security risks as Meta increasingly relies on AI for customer support and account management
