- Cybercriminals tricked Meta’s AI customer support agent into forwarding password reset codes
- Stolen short‑handle accounts, valued at over $1M combined, were listed for sale across Telegram
- Attack highlights risk of delegating sensitive tasks to AI systems
Cybercriminals successfully pulled off a social engineering attack against Meta’s customer support, tricking the representative into initiating a password reset sequence without asking for any identity verification.
The news here is that the representative was actually an AI agent, not a human being at all. The researchers who disclosed the attack stressed just how dangerous it is to hand over sensitive assignments to AI. Meta fixed it soon after.
According to reputable researchers ZachXBT and Dark Web Informer, cybercriminals engaged in conversation with Meta’s AI chatbot and had it forward password reset codes for someone else’s accounts. The target accounts are premium, short-handle ones, that usually have millions of followers and as such can be sold for a lot of money on the black market.
Selling the stolen accounts
In fact, the researchers mentioned two specific accounts – @hey and @jowo, which were allegedly being sold in Telegram channels for “over 1 million combined”, Cybersecurity News reports.
Researchers were following the sales activity, tracking the stolen account listing circulating across different hacking collectives on Telegram.
Meta fixed the issue last Friday night: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems and people’s Instagram accounts remain secure,” the company said in a follow-up announcement.
Users are constantly being warned about social engineering and phishing attacks, and advised on how to keep their accounts secure. In this case, however, there is nothing they could have done, since the attack targeted the platform itself, not its users.
Still, having multi-factor authentication (MFA) is probably the best way to protect against phishing and social engineering, but it is important that the one-time codes are not being sent via SMS. Also, registering an account with a private, unknown email account is a solid strategy as well.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
