Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts
Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts
黑客利用 Meta AI 客服聊天机器人窃取名人 Instagram 账号
Meta’s AI support chatbot proved unusually helpful to hackers looking to steal and resell notable Instagram accounts—the hackers simply asking the bot to change the accounts’ associated email addresses while using VPN to mask their true locations. Videos featuring the “shockingly easy” exploit have been circulating among Telegram groups for hackers and security researchers, according to 404 Media.
Meta 的 AI 客服聊天机器人对那些试图窃取并转售知名 Instagram 账号的黑客来说“出奇地好用”——黑客只需在使用 VPN 掩盖真实地理位置的同时,要求机器人更改账号关联的电子邮箱地址即可。据 404 Media 报道,展示这一“极其简单”漏洞的视频已在黑客和安全研究人员的 Telegram 群组中流传。
The exploit allowed hackers to take over and flip valuable Instagram accounts worth hundreds of thousands of dollars on the gray market before Meta implemented an emergency patch on May 29. The Barack Obama White House account and the Chief Master Sergeant of Space Force’s account also posted pro-Iranian images and messages while they were temporarily compromised.
在 Meta 于 5 月 29 日实施紧急补丁之前,该漏洞使黑客能够接管并在灰色市场上倒卖价值数十万美元的优质 Instagram 账号。奥巴马白宫账号以及太空军总军士长的账号在被短暂入侵期间,也曾发布过亲伊朗的图片和信息。
Attackers simply had to use a VPN to approximately match their location to the target Instagram account’s region, begin a password reset process, and then ask Meta’s AI support chatbot to change the email address associated with the account, according to 404 Media. It’s a very straightforward prompt injection attack.
据 404 Media 报道,攻击者只需使用 VPN 将其位置大致匹配到目标 Instagram 账号所在的地区,启动密码重置流程,然后要求 Meta 的 AI 客服聊天机器人更改与该账号关联的电子邮箱地址即可。这是一种非常直接的提示词注入攻击(Prompt Injection Attack)。
Neowin reported having the exploit as being “active in the wild for months, going as far back as February of this year, with hackers compromising thousands of accounts.” But the exploit seems to have gained more public notice in recent days with the compromise of high-profile accounts. Prominent researchers, such as Jane Manchun Wong, have also recently reported that their accounts were hacked.
Neowin 报道称,该漏洞“在野外已活跃数月,最早可追溯到今年 2 月,黑客已入侵了数千个账号。”但随着近期一些高知名度账号被入侵,该漏洞似乎引起了公众的更多关注。知名研究人员如 Jane Manchun Wong 最近也报告称其账号遭到黑客攻击。
On May 31, the pseudonymous open source intelligence researcher ZachXBT posted on X about how “the Meta AI support is garbage and has lots of access perms which allowed you to reset passwords to any user without 2FA and did not verify who you are.” At the same time, the researcher Dark Web Informer described the same exploit on X while noting it had been recently patched.
5 月 31 日,化名开源情报研究员的 ZachXBT 在 X 上发文称:“Meta 的 AI 客服简直是垃圾,它拥有过多的访问权限,允许你在没有双重验证(2FA)的情况下重置任何用户的密码,且不会验证你的身份。”与此同时,研究员 Dark Web Informer 也在 X 上描述了同样的漏洞,并指出该漏洞最近已被修复。
Both ZachXBT and Dark Web Informer also confirmed how hackers had targeted and resold particularly valuable Instagram accounts, including the short handles @hey and @jowo with a “combined gray-market valuation estimated above $1 million,” according to the CyberSec Guru. Such accounts can be valuable even if hackers hold them for just a few days because of “clout, resale or brand impersonation,” the security blog reported.
ZachXBT 和 Dark Web Informer 都证实,黑客专门针对并转售了极具价值的 Instagram 账号,据 CyberSec Guru 称,其中包括短 ID @hey 和 @jowo,其“灰色市场总估值估计超过 100 万美元”。该安全博客指出,即使黑客只持有这些账号几天,它们也极具价值,因为可以利用其进行“影响力炒作、转售或品牌冒充”。
The wide security hole
巨大的安全漏洞
The CyberSec Guru also described the exploit as representing the classic “confused deputy” problem from computer security, in which a program with elevated permissions is tricked into misusing those permissions on behalf of a less privileged third party. But in this case, the “deputy” was a large language model with a “probabilistic response model you can nudge with words” instead of a “deterministic program” with “hard-coded conditionals you’d need to bypass with code.”
CyberSec Guru 还将此漏洞描述为计算机安全领域经典的“困惑的代理人”(Confused Deputy)问题,即一个拥有高权限的程序被诱骗,代表权限较低的第三方滥用这些权限。但在本例中,“代理人”是一个拥有“可以通过文字引导的概率响应模型”的大语言模型,而不是一个需要“通过代码绕过硬编码条件”的“确定性程序”。
It’s worth keeping in mind that users had simple security solutions available, even with the Meta AI support chatbot being exploited. The hackers reported their exploit failing against any accounts that had enabled multifactor authentication (MFA), including the “least robust form of MFA that Instagram offers” in the form of one-time codes sent through SMS, according to KrebsOnSecurity.
值得注意的是,即使在 Meta AI 客服聊天机器人被利用的情况下,用户仍有简单的安全解决方案。据 KrebsOnSecurity 报道,黑客称他们的攻击手段对任何启用了多因素身份验证(MFA)的账号均无效,即使是 Instagram 提供的“最不稳健的 MFA 形式”——即通过短信发送的一次性验证码——也能起到防护作用。
But the exploit still highlights the broader risk of tech companies and other organizations rushing to deploy AI agents with elevated permissions that allow them to modify, create, or delete critical data. Meta had launched its Meta AI support assistant in March 2026 with the promise that it could “provide reliable, 24/7 support for nearly any support issue at any time.”
然而,这一漏洞仍然凸显了科技公司和其他组织在仓促部署拥有高权限的 AI 代理时所面临的更广泛风险,这些权限允许 AI 修改、创建或删除关键数据。Meta 于 2026 年 3 月推出了 Meta AI 客服助手,并承诺它能够“随时随地为几乎任何支持问题提供可靠的 24/7 全天候支持”。
The “minimum” architecture required to do this more safely, according to the CyberSec Guru, would include “out-of-band verification before any account modification… rate limiting on AI-initiated reset flows keyed to account risk signals, action logging with anomaly detection for unusual AI-driven account modifications, and a hard deterministic gate.”
据 CyberSec Guru 称,要更安全地实现这一目标,所需的“最低限度”架构应包括:“在任何账号修改前进行带外验证……针对 AI 发起的重置流程进行基于账号风险信号的速率限制,对异常的 AI 驱动账号修改进行带有异常检测的操作日志记录,以及设置一道硬性的确定性关卡。”