Meta said it fixed a flaw in Instagram’s AI-powered support chatbot after attackers reportedly used it to take over other users’ accounts, which is a polished way of saying the app had a robot at the front desk willing to hand over your apartment if a stranger showed up with a polite demeanor and nice smile. According to reports and demonstration videos, attackers could use a VPN to mimic a victim’s location, ask the chatbot to change the account email to one they controlled, receive a verification code, and reset the password. Accounts reportedly affected included the Obama White House account, Sephora, Space Force chief master sergeant John Bentivegna, and security researcher Jane Manchun Wong, confirming the system was versatile enough to fail for government, retail, military, and people whose whole job is catching this kind of thing.
Meta did not say how the feature made it into production, though it said it moved quickly to fix it, presumably using the same industry-standard workflow that created it: one AI generates a solution, another AI reviews it, and a sleep-deprived engineer clicks approve on 4,000 lines of code they have been trained not to read because there are already 40,000 more on deck for review. The bug is reportedly closed as per internal AI bots, allowing Instagram users to return to the platform’s traditional account-recovery process of typing ALL CAPS into a form and praying not to receive an automated denial again.