- A security breach in the support chatbot facilitated illicit access to highly relevant accounts.
- The attackers used location spoofing techniques to deceive the automated systems.
- Profiles of public figures and large companies were compromised before a patch was applied.
- Experts recommend using two-factor authentication through apps to prevent these intrusions.
The integration of artificial intelligence into customer service is an unstoppable trend, but sometimes these tools bring unpleasant surprises. Recently, it has been discovered that Meta support assistant It had a critical flaw that allowed third parties to take full control of other people's profiles without breaking a sweat and by taking advantage of an automated process.
This security vulnerability has jeopardized the experience of thousands of users, even affecting figures such as Barack Obama and major international corporations. The situation has generated a major alarm in the cybersecurity sectorEspecially in Europe, where data protection is a closely scrutinized issue and any such slip-up becomes a real headache for the competent authorities.
How the robbery was carried out using social engineering
The method used by the attackers did not require extensive technical knowledge or overly complex malware. It was simply based on deceive the AI chatbot from Meta through a conversation that seemed entirely legitimate to the automated account recovery system that the company had deployed a few months ago.
The criminals used VPN connections to simulate that they were in the same geographical location as the victim, thus making it appear as though the location verification system The bot will lower its guard and accept data change requests as if they came from the real owner.
Once the AI's trust was gained, the attacker asked to link a new email address to the target account, and the bot, surprisingly, I sent the validation code directly to the address provided by the hacker at that very moment, completely ignoring the usual security protocols.
By entering that eight-digit code, the system unlocked a button to reset the password, allowing the intruder will change the access credentials and would leave the real owner out of their own profile in a matter of seconds, without them receiving any prior notification.
The lucrative black market for Instagram accounts
It's no surprise that these types of vulnerabilities are exploited so quickly, given the astronomical value of certain profiles on the black market. European experts have detected that influencer and brand accounts They are being sold on private Telegram channels for prices that sometimes exceed one million euros due to their wide reach.
In addition to simply gaining access to the profile, the theft means that criminals can read private messages, access sensitive billing data, and perform other actions. scams targeting followers of the compromised account, which represents a devastating reputational blow for any business or personal brand that lives off its image on social media.
Prestigious security researchers, such as those at Krebs On Security, have emphasized that the problem did not lie in the company's central servers, but in a poor design logic of the virtual assistant, which prioritized the quick resolution of incidents over the actual verification of identity.
The lack of a requirement for two-factor authentication during this specific recovery process was the key that opened the door for the attackers, demonstrating that automate critical processes Without proper human oversight, it can be a very risky move on platforms with billions of users.
Measures to protect your digital security
Meta has already made its move and officially confirmed that the security patch is now implemented on its systems, assuring that the The error has been corrected. and that they are actively working to restore control to users who were affected by this breach over the past weekend.
To avoid unnecessary scares in the future, technology experts strongly recommend turn on XNUMX-step verification through specialized external applications, avoiding traditional SMS messages which are much easier to intercept by expert hands.
It is also vital to maintain a recovery email that is completely private and not displayed in the profile bio, in addition to review active sessions periodically check Instagram settings to close any suspicious connections that we did not make ourselves.
Never delegate the complete security of your accounts to a virtual assistant and rely on physical backup codes Storing these things safely are basic practices that can save us from a major mess if we find ourselves in a similar vulnerable situation in the future.
The speed at which new technologies are deployed sometimes leaves essential security protocols behind, and this incident with Meta's AI is the perfect reminder that We must be proactive with our online privacy. Although the company has officially fixed the vulnerability, the responsibility for maintaining additional layers of protection rests with us to ensure our social media experiences remain safe and free from any unwanted intrusion.
