Hackers easily fool Instagram's new AI identity verification, humiliating Meta once again

There’s plenty of talk about how AI chatbots will take everyone’s jobs by the end of the decade, but so far, few companies have gone all in on the supposed wave of the future. One such company that did take the plunge, however, is Meta. After recently laying off 8,000 employees in favor of an AI workforce, Zuckerberg is already reaping the repercussions of little-to-no human oversight as AI just caused one of the most devastating Instagram account breaches in its history.

The Instagram bungle of the decade

Over the weekend, news broke that Instagram accounts were being hacked en masse with no clear reason why. Many of the targeted accounts included rare handles of high value, well-established accounts with more than a decade of ownership, and high-profile accounts belonging to elite users. Some of the most notable victims included the Obama White House and the Chief Master Sergeant of the U.S. Space Force John Bentivegna. Stranger still, account owners claimed that their passwords were changed without their knowledge or consent.

Platforms and apps will eventually require Real IDs for both age and identity verification.

At least in the case of Obama’s account, the hackers posted propaganda depicting former Iranian Major General Qasem Soleimani holding hands with former Iraqi Deputy Commander Abu Mahdi al-Muhandis, both eliminated at the hands of the U.S. military in 2020. The images included Arabic messages claiming that the White House is under Shiite control.

The exploit wasn’t due to a Meta system breach or password leak posted to the internet. As internet sleuths started to pore through the information, they discovered that Meta’s AI-powered identity verification system was easily duped into transferring ownership to thieves.

How hackers secretly stole Instagram accounts overnight

An X account that goes by Dark Web Informer published a video to their feed detailing exactly how hackers gained access to these high-profile Instagram accounts. The process was so simple that practically anyone could pull it off.

1. The hacker enabled a VPN on his device and set it to the location of the account owner to trick Instagram into believing that he currently resided in the area.
2. The hacker went to the “forgot password” section of Instagram and typed in the target account handle.
3. On the next page, instead of choosing to send a recovery email that would alert the owner of the hacker, they selected “Get Support,” which opened a chatbox with the Meta AI support assistant. Note that this is an AI-powered chatbot, not a real person.
4. From here, the hacker could tell the chatbot that the recovery email addresses on file were no longer valid and that any security codes should be sent to a new inbox, which pointed directly to an email address owned by the hacker.
5. Meta AI support assistant sent an email to the new inbox with no additional verification, prompting the hacker to paste that code into the Meta AI chat to prove he was the person submitting the request.
6. The Meta AI support assistant accepted the verification code and allowed the hacker to proceed with changing the password on the account.
7. The hacker confirmed the new passcode, taking ownership of the handle and essentially locking the original owner out of the account entirely.

Other reports claim that the Meta AI support assistant may also prompt users to submit a selfie or video of themselves to verify their identity before proceeding with the password change. However, these safety measures were also easily thwarted by creating an AI-generated photo or video of the owner’s face that was good enough to trick the Meta AI support assistant into permitting access.

RELATED: Companies are tracking you based on the ads you see. Here's how to stop them.

BestForBest/Getty Images

As you can see, this exploit could be used on any account, anywhere, anytime, and the Meta AI support assistant gave up the ghost every time. The exploit has since been patched.

Zuckerberg made a mistake, but users lose in the end

If there were ever a way to prove that AI chatbots weren’t ready to replace humans in the workplace — especially in high-profile positions like account security — this is it. Meta has abused its workforce over the last several months, tracking their keystrokes to train AI and even sending 10% of its staff to the unemployment line, all to usher in the AI revolution where bots do all the work and humans are left to muddle through the mediocrity of degrading technology, fewer employment opportunities, and AI overload.

Unfortunately, these types of security breaches are just another reason that platforms and apps will eventually require Real IDs for both age and identity verification, and we’ll have no choice but to play along or lose access to the apps and services we use every day.

In the end, the only way for executives like Zuckerberg to learn that it’s better to keep real people on the payroll in lieu of AI is for the consequences to hit fast and hard. Unfortunately, this time, users were hit the hardest, but at least Zuckerberg’s decision to turn account security over to AI is a mistake he gets to own and atone for in whatever litigation is sure to come his way for his careless decisions.