Obama’s White House Instagram account among thousands exposed in hack
Social media users noticed something unusual on Instagram last week. The long-dormant profile for the White House, created under former President Barack Obama, had been taken over without explanation.
It turns out that the old White House account was one of 20,225 profiles that were hijacked after hackers exploited the platform’s AI-supported chatbot.
Meta, the owner of Instagram, confirmed the hack on Friday.
A video from the alleged hacker later appeared on X that detailed how passwords could be reset by tricking Meta’s AI support assistant. The hacker demonstrated by connecting to a VPN server near the target’s suspected region before asking the chatbot to add their own email address to the victim’s account.
The chatbot, which failed to confirm that the hacker actually owned the victim’s account, then sent a verification code to the hacker’s email address. When the hacker provided the code to the chatbot, a “Reset Password” prompt appeared. The hacker was then allowed to change the victim’s password.
Meta: chatbot ‘functioned as intended’
Meta responded to the breach by taking the support chatbot offline and patching the vulnerability, company spokesperson Andy Stone said on X. He disputed online claims about hacks of accounts registered to world leaders, but said that “the issue that did happen has already been fixed.”
In a data breach notification sent to the Maine attorney general on Friday, Amber Hannah, Meta’s associate general counsel, said the AI chatbot “worked properly and functioned as intended” but was exploited “due to a bug in a separate code path.”
Because of the hack, Hannah wrote, “the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.”
“As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request,” Hannah continued. “This allowed unauthorized third parties to receive a password reset link for accounts they did not own. Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA).”
Hannah’s letter does not specify when the bug was first exploited. But a filing on the website for Maine’s attorney general suggests the attacks date as far back as April 17, according to BleepingComputer, a technology news website.
Extent of breach unknown
Meta was unable to determine what data may have been compromised during the attacks.
However, the company said that anything that the account holder would have been able to view — such as their own direct messages — were exposed to the hacker.
Meta forced affected users to reset their passwords to regain control of their stolen accounts.
Before it relaunches the support chatbot, the company said it “will fix the authentication check in the Instagram recovery entry point to ensure proper verification of email addresses against existing account information before any password reset is initiated.”
Round out your reading
- People are overdosing on GLP-1 injections. What does that look like?
- Researchers put chatbots in a simulation. Grok ended the world in 4 days.
- Fearing more e-bike injuries, Illinois looks to become 10th state to mandate registration, insurance.
- Why are young professionals facing such a tough job market? Hint: It’s not just AI.
- We’re building a new Straight Arrow. Help us shape our future by taking our survey.
Ella Rae Greene, Editor In Chief
