Meta patches flaw that allowed MetaAI support bot to hand out password reset links without 2FA

Date:
Mon, 01 Jun 2026 12:05:00 +0000

Description:
Hackers were targeting high-profile accounts by tricking AI into sharing
reset codes without validation.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Cybercriminals tricked Metas AI customer support agent into forwarding password reset codes Stolen
shorthandle accounts, valued at over $1M combined, were listed for sale
across Telegram Attack highlights risk of delegating sensitive tasks to AI systems Cybercriminals successfully pulled off a social engineering attack against Metas customer support, tricking the representative into initiating a password reset sequence without asking for any identity verification.

The news here is that the representative was actually an AI agent, not a
human being at all. The researchers who disclosed the attack stressed just
how dangerous it is to hand over sensitive assignments to AI. Meta fixed it soon after. According to reputable researchers ZachXBT and Dark Web Informer, cybercriminals engaged in conversation with Metas AI chatbot and had it forward password reset codes for someone elses accounts. The target accounts are premium, short-handle ones, that usually have millions of followers and
as such can be sold for a lot of money on the black market. Latest Videos
From You may like Microsoft warns hackers are exploiting password resets to gain access to user accounts Security experts discover critical flaw in OpenAI's Codex able to compromise entire organizations AI-generated threats are hitting businesses harder than ever - do you know what to look out for? Selling the stolen accounts In fact, the researchers mentioned two specific accounts - @hey and @jowo, which were allegedly being sold in Telegram channels for over 1 million combined, Cybersecurity News reports .

Researchers were following the sales activity, tracking the stolen account listing circulating across different hacking collectives on Telegram.

Meta fixed the issue last Friday night: We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems and peoples Instagram accounts remain secure, the company said in a follow-up announcement.

Users are constantly being warned about social engineering and phishing attacks, and advised on how to keep their accounts secure. In this case, however, there is nothing they could have done, since the attack targeted the platform itself, not its users. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Still, having multi-factor authentication ( MFA ) is probably the best way to protect against phishing and social engineering, but it is important that the one-time codes are not being sent via SMS. Also, registering an account with
a private, unknown email account is a solid strategy as well. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



======================================================================
Link to news story: https://www.techradar.com/pro/security/meta-patches-flaw-that-allowed-metaai-s upport-bot-to-hand-out-password-reset-links-without-2fa


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)