news.volyx.in

Meta confirms 1000s of Instagram accounts were hacked by abusing its AI chatbot (this.weekinsecurity.com)

709 points by speckx · 36 days ago · 265 comments on HN

Article summary

Meta has confirmed that thousands of Instagram accounts were hacked by exploiting a vulnerability in its AI chatbot, which allowed hackers to reset passwords and take control of accounts. The breach, which occurred between April 17 and this week, was discovered after media reports and has resulted in Meta notifying at least 20,225 people that their accounts had been compromised. The company has disabled the AI chatbot and removed the code path that allowed the chatbot to reset user accounts. The breach has raised concerns about the security of Meta's AI systems and the potential for similar vulnerabilities in the future.

Main themes

  • AI chatbot security
  • Instagram account hacking
  • Password reset vulnerability
  • Meta's response to breach
  • AI limitations and risks

What commenters say

  • The AI chatbot was not the primary cause of the breach, but rather a separate code path that failed to verify email addresses associated with user accounts.
  • The breach highlights the limitations and risks of relying on AI systems for security and authentication purposes.
  • Meta's decision to blame a downstream dependency rather than the AI chatbot itself is seen as an attempt to deflect responsibility and protect the reputation of its AI technology.
  • The incident demonstrates the need for more robust security measures, such as two-factor authentication, to prevent similar breaches in the future.
  • The use of AI chatbots in security and authentication processes can be problematic due to their potential to be tricked or exploited by malicious actors.
  • The breach has raised concerns about the potential for similar vulnerabilities in other Meta systems and the need for more transparency and accountability from the company.
  • The incident highlights the importance of human oversight and review in security and authentication processes to prevent errors and exploits.
  • The blame for the breach should be placed on the poorly designed backend function that allowed the vulnerability to exist, rather than the AI chatbot itself.