Meta Admits Its ‘AI’ Helped Hackers Compromise 20,000 Instagram Accounts
from the I-can-most-definitely-do-that,-Dave dept
So last week we noted how Meta’s AI support assistant doled out access to high-profile Instagram accounts after hackers simply asked for it. Outside of using a VPN to match the account holder’s region, the hackers didn’t have to do literally anything of note to convince the Meta AI chatbot to provide access, suggesting like so many AI offerings, Meta incompetently rushed undercooked software to market.
Meta has subsequently confirmed the issues and outlined the full scope of the problem. In a data breach notice filed with Maine’s attorney general’s office late on Friday and noticed by Techcrunch, Meta notified at least 20,225 people that their accounts had been compromised, including 30 people in Maine.
“The compromises allowed the hackers to take over the person’s entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person’s posts, direct messages, and account activity, the notice reads.”
Meta’s notice confirmed the problem began with “a vulnerability in an AI-assisted account recovery system for Instagram,” that was exploited to “perform password resets on Instagram user accounts.” Fortunately, the “trick” didn’t work if users had two-factor authentication enabled.
The company also claims it’s “unaware” of specifically what information was compromised during the three-week long hacking spree. Which is to say that, as with so many security breaches, the full scope of this could be worse than what’s been revealed.
Meta/Facebook is, so we’re clear, a company with 70,000 employees and a $1.57 trillion market cap. That they rushed an AI support chatbot into widespread service across roughly 3 billion active Instagram accounts is just a stunning level of incompetence.
As we saw with a different massive AI-related fuck up by Google last week (where all search queries were interpreted as AI prompts across the entire company’s search system), these companies are apparently in such a rush to justify their massive, lopsided AI spending that they’ve forgotten to do basic development testing and quality control.
Filed Under: account recovery, ai, automation, chatbot, development, hackers, llm, password reset, privacy, security, software
Companies: meta
Comments on “Meta Admits Its ‘AI’ Helped Hackers Compromise 20,000 Instagram Accounts”
Current AI is about as gullible as a hungry kitten watching you wave a bottle of milk about
Ultimately it’s the far more stupid humans behind it at fault though
They say behind every strong man is a strong woman
Now we can say behind every AI idiot there’s even dumber human
Whose bright idea was it to give a robotized moron access to people’s passwords in the first place?
They should have their brains preserved for science
Introducing my new Desilu LLM
Another fail by the Desilu agent… sorry.
Aye Yai Yai AI.
There's no quality control in ANY of these models
“these companies are apparently in such a rush to justify their massive, lopsided AI spending that they’ve forgotten to do basic development testing and quality control.”
This is true throughout their entire process, because they’re not interested in creating a well-crafted product/service; they’re interested in creating something that gives the superficial appearance of being well-crafted so that they can cash in.
As just one example, consider where it starts: the input, and consider just one use case for these LLMs: programming. If you were trying to train a model to write good code, you’d want to carefully curate the corpus of code that you gave it as input. You’d look for examples of great programming style, correctness, readability, maintainability, standards compliance, portability — all the things that make for good code. And you’d exclude poorly-written code and junk code and buggy code and broken code and everything else.
Is that what they’re doing? Not even close. They’re scraping everything they can from every source they can with no regard for…anything. They’re in too big a hurry to bother with even the pretense of curation.
The first and obvious result of this is something that’s been a programming maxim for decades: garbage in, garbage out. The second and not quite as obvious result is that attackers have figured out what I wrote in the previous paragraph and are now leaving deliberately buggy/backdoored code for the LLM web crawlers to vacuum up and incorporate into the models. That doesn’t bode well for the people who are blithely using LLM-generated code without carefully inspecting it. And of course the LLM operators take no responsibility whatsoever for any adverse consequences resulting from use of their products.
Facebook are just continuing their tradition of embracing new technology and immediately putting it to work with the core of their business model: scams.
I remember when Meta’s trillion dollar failures were just VR holograms and not grifting automation to destroy everything for cool points with fascists.
And this will become the norm. This is what AI use leads to
Why a data breach notice for Maine?
Doe’s Maine have particular odds that forced them to give a data breach notice?
mathematical odds are with +20,000 breaches, there are other states that will have more then 30 breaches by state. But nothing filed for those states?