Meta AI Hands Over High-Profile Instagram Accounts to Hackers

Threat actors exploited a logic flaw in Meta's AI-powered account recovery assistant to link their email addresses to high-profile Instagram accounts. The attack used a confused deputy vulnerability where the AI assistant, with API access to account management, performed actions on behalf of attackers. The breach affected the Barack Obama White House, Chief Master Sergeant of Space Force, and Sephora accounts. Researchers have long warned about confused deputy issues in AI systems with elevated privileges. Users report no ability to escalate support issues after account theft.