Mastodawn

Hugo Slabbert ⚠️2d ago

New, by me: A number of high-profile and/or valuable Instagram accounts, including those of the Obama White House and the Chief Master Sergeant for the U.S. Space Force, got hacked and defaced with pro-Iran messaging in the past 24h after people figured out that Meta's AI support assistant could be tricked into resetting account passwords.

From the story:

"A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target's usual hometown, requesting a password reset for the account, and then choosing to chat with Meta's AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset."

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

#meta #instagram #hack #ai #security

/home/matth 2d ago

@briankrebs There's a huge "LOL" bubbling up inside of me

Zdeněk Doležal 2d ago

@briankrebs "voni sou AI, pane vachmaister!"

@briankrebs It is April 1st, is it?

Kinene⭐🐻2d ago

@briankrebs File under: "Live by the sword, die by the sword."

@briankrebs Okay thats it. This is beyond stupid. I'm in disbelief on how a company, even Meta, can do something so incredibly stupid.

Andreas K 1d ago

@stormii
I hadn't had my morning coffee yet, so I'll skip on giving it the other numbers but this rings like it hits some OWASP LLM items.

But how exactly did they arrive at the idea that it would be a great idea to automate account recovery, via LLMs? If they insist it has to be done by the book, implement a classical process. If it's an ad-hoc decision, use the classical ad-hoc processing machine, homo sapiens.
@briankrebs

@stormii @briankrebs As long as the stock price doesn’t go down, who cares?

@briankrebs At what point does Altman shout “The Aristocrats!” and disappear forever?

Monokeros 2d ago

@bob_zim @briankrebs I would have said right after the Great Eyeball Caper but it didn't happen so what do I know

Jaime Herazo 1d ago

@bob_zim
The IPO is coming soon, so after that, that rug is ready for the pull
@briankrebs

martin lentink 🇪🇺 🇺🇦📎2d ago

@briankrebs Does the Obama White House still have an Instagram account? It's been a few years...

Niko Trimmel 2d ago

@martinlentink probably an archive account. Targetting the Obama era account for such a message is especially stupid given Obama's focus on negotiating a deal with Iran for years. @briankrebs

@nitrml @martinlentink @briankrebs but if they're able to send posts from that verified account that's probably still followed by millions it's worth it to them. How many now-inactive accounts do people follow? Particularly since I suspect that going through and doing cleanup is probably boring at best. No IG account to check, but if you're cleaning up who you're following does it let you sort or filter by when the account last posted?

Shafik Yaghmour 2d ago

I feel like we have stepped back 30 years in infosec.

@shafik @briankrebs

There is no we we have suddenly become that secure

Mitex Leo 2d ago

@briankrebs This is beyond Stupid

@briankrebs Hmm, the "VPN" aspect of this makes me think this isn't entirely an "AI" (note quotes) related story, except in the sense that "Agentic AI" is 95% just workflows offloaded into MCP scripts. On the third hand, a lot of *those* are vibe coded garbage and so the circle is complete.

Dennisqr 2d ago

@briankrebs So this is the oh-so high praised AI....🤯

The Dubster 2d ago

@briankrebs You got to love the simplicity of it.

VHG 🇪🇺🇩🇪2d ago

@briankrebs does that work on truth social as well? Would love to lock #theorangeone out

Sterling 2d ago

@briankrebs
Meta is the epitome...the quintessential ... the embodiment of "enshittification".
There is absolutely nothing meritorious about their websites... (I'll stop here.)

So, flaws are not surprising.

I still say the Iranians should release the Epstein files...or all the dirt they have. I find it hard to believe they don't have at least some of it.
They are probably thinking that they don't want to try to out-crazy a crazy person.

Micdan 💾1d ago

@briankrebs 🤣🤣🤣🤣🤣🤣🤣🤣 justice was served

Cavallo Pazzo 1d ago

@briankrebs Oh yeee, keep that shit flowing! MUHAHAHAAAAAA

Jbrown, Esq 1d ago

@briankrebs that was probably israel or the US itself, lol. This ship of propaganda sailed years ago, and the whole world can see the genocidal israeli state attempting to use america against Iran, over and over. Its entirely out in the open now, and companies like facebook would make this sort of thing easier, not harder.

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES 1d ago

@briankrebs Dipshits gonna dipshit.

I find it further amusing that MetaBook has possibly the worst spend-to-earnings ratio for LLMs: https://isaiprofitable.com/

Is AI Profitable Yet?

George Liquor, American 1d ago

@briankrebs And these are the miracle tools propping up the entire US economy.

Jfc the willful ignorance is staggering

@briankrebs Social engineering of AIs is a new frontier. AIs are not reliable enough to be put in a security gatekeeper role.

leon 🏳️‍🌈 🇵🇱1d ago

@briankrebs LMAOOO

nixCraft 🐧1d ago

@briankrebs 😂 yet another geni ai support case. Horrible situation that can start wars or crash stock market etc

@briankrebs So AI can also be "social engineered" ?

Who would thought of that... but than again, this social engineering trick is older than AI..

🤣 😎

Joanna Bryson, blathering 1d ago

@briankrebs I complained on #reddit / #cybersecurity about Google logins post-apple-upgrade caring about whether I was near the home I‘d never consented to them recording. Reddit bros thought I was a fool, but this is the flip side of that.

stux⚡️1d ago

@briankrebs holy..

Another reason to keep AI away from socials as far as possible

Michel Recondo 1d ago

@[email protected] @[email protected] and meta away from everything

Dunwich Type Founders 1d ago

@briankrebs apparently paying AI programmers 7 or more figures isn’t enough to attract the best talent. Crazy.

AnneTheWriter 1d ago

@DunwichType @briankrebs

#Meta recently laid off 8,000 workers and said it was due to #AI -- perhaps this was an angry former employee?

Otte Homan - remember Geordie 1d ago

@briankrebs "valuable Instagram accounts" LOL

Fiordaliso_456 1d ago

@briankrebs Me.. trying to understand how it was possible..

poes 🇵🇸1d ago

AI-nya tolol ha ha ha

𐁂𐀑𐀐𐁐 1d ago

@briankrebs NGL, IRGC looks epic as hell rn.

tootbrute 1d ago

@briankrebs from the company that brought you the metaverse, without legs. tech support, without brains.

Gary Whittaker 1d ago

@briankrebs
Is that the Obama White House living rent free in Trump’s head?

@briankrebs the future is nao

mage_of_dragons 1d ago

@briankrebs "oh yes we streamlined the password reset process so well, we almost doubled the number of successful resets since introducing AI into it"

Maria Langer | 📝🛥️💎1d ago

@briankrebs @LabSpokane This could be the basis of a good argument for why official government sites should not be on social media.

boxspring 23h ago

@briankrebs Am I the only one who can't understand why some sites only send the "we've gotten a request to change your email" message to the _NEW_ address?? Just did a bunch of changing of emails and this was surprisingly common. Best procedure used was: ask the old email if you requested a change, then verify the new one, then make the change. Worse, send the message to both emails. But this...¯\_(ツ)_/¯