In AI Blunder, More Than 34,000 Instagram Accounts Were Attacked

SAN FRANCISCO — Late last month, the former White House social media account for President Barack Obama suddenly began posting odd things on its Instagram page.

The account had been dormant since 2017, when Obama left office. The new posts — which included messages deriding President Donald Trump and saying that the White House was “under Shiite control,” referring to the branch of Islam — were out of character for Obama’s social media activities.

It turned out the posts were not made by Obama’s office at all. In May, a group of hackers discovered a bug in a Meta customer service tool that allowed anyone to use an artificial intelligence-powered chatbot to reset the passwords for Instagram accounts. All the hacker had to do was ask the chatbot to change someone’s password — and it would be done.

Roughly 34,000 Instagram accounts were affected, including the accounts of the home security monitoring company SimpliSafe and a senior official in Trump’s Space Force department, according to internal Meta documents viewed by The New York Times. In the Space Force official’s case, hackers began posting pro-Iran messages comparing the war in Iran to U.S. involvement in Vietnam in the 1960s.

Of the 34,000 accounts, 20,000 were breached, giving hackers access to the related email addresses, phone numbers, birth dates and other personal data. More than 3,500 of the accounts had their user names taken over and changed from the hack, according to the internal documents. Meta has said it could not determine what information was viewed or stolen by the attackers.

In a statement, Meta said it had fixed the flaw, which was reported by 404 Media this month, and secured the affected accounts.

“Some of our internal back-end checks failed in this instance, but it wasn’t due to the AI agent itself, and we’ve addressed the underlying cause,” said Andy Stone, a Meta spokesperson, adding that it was notifying regulators and people whose accounts were affected. The company said because of its new automated customer service programs called “agents,” the number of users who were able to recover hacked accounts in the United States and Canada increased by 30% last year.

A spokesperson for Obama declined to comment.

The incident was another AI-themed hiccup for Meta as it tries to remake itself using the technology. The company, which also owns Facebook and WhatsApp, is not only integrating AI into its apps, but is spending billions to keep pace with rivals including Anthropic and OpenAI to develop cutting-edge AI. Mark Zuckerberg, Meta’s CEO, has said his company’s future depends on quickly shifting to AI-first organization.

But that transition has not been smooth. Last month, Meta unveiled a program to track employees’ computer activity for AI training, causing a revolt among its workers. It also pushed AI tools on employees while laying off thousands of them to offset AI spending, further hurting morale.

More broadly, concerns have also grown that advanced AI is creating more security threats than it is stopping. In April, Anthropic announced Mythos, its most advanced AI model, but declined to publicly release the technology, worried that it could be used for widespread security exploits. On Tuesday, Anthropic released Claude Fable 5, a straitjacketed version of Mythos that the company said was safe for widespread use.

(The New York Times sued OpenAI and Microsoft in 2023, claiming copyright infringement of news content related to A.I. systems. The two companies have denied those claims.)

Stealing high-profile social media accounts with millions of followers has long been lucrative. Hackers have found ways to trick users into giving up their handles through duplicitous messages or fake password resets, often reselling the handles to bidders such as cryptocurrency promoters or political operatives. Buyers then use the accounts to spread messages for personal or political gain, or sometimes just to wreak havoc.

In recent weeks, Meta has ramped up plans to offer AI products to businesses, aiming to court more corporate customers. At an event last week, the company introduced a “business agent” product, which lets organizations use automated chatbots for customer service issues such as booking appointments or completing transactions. Meta’s business agent is available to customers on Instagram, WhatsApp and Facebook Messenger.

In a letter to Maine’s attorney general last week, which was obtained by This Week in Security, Meta said it was conducting a “comprehensive review” to identify further security issues and handle them.

Still, Meta decided not to make major changes to its AI plans after the Instagram hacks, according to the internal documents. “We agreed to leave all products on and to pause one ongoing experiment (IG Forgot Password Chat),” the documents said. “All other entrypoints will remain available.”

Meta employees appeared to be girding themselves for future incidents.

“Adversarial attack vectors are always adapting,” one employee wrote in an internal message to colleagues, which was viewed by the Times. “Security testing is a continuous process.”