待翻译：Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email

AI 服务暂时不可用，以下为来源正文，待恢复后补全翻译。

Hackers took over prominent Instagram accounts by asking Meta's AI support chatbot to swap out the email address on file. Two-factor authentication was bypassed entirely. Targets included the Obama White House account, the Chief Master Sergeant of the US Space Force, and cosmetics chain Sephora. Short, highly coveted usernames also changed hands within minutes and were resold on Telegram. These OG handles, names made up of just a few letters or common words, can fetch six-figure sums on gray markets. Researchers ZachXBT and Dark Web Informer, who track crypto crime and underground markets, documented the fallout publicly. Two of the compromised handles reportedly had a combined market value of over $1 million. The method was surprisingly simple. Attackers turned on a VPN to place themselves in the target account's geographic region, kicked off a password reset, and then told the AI support assistant to update the email address on the account, promising to send the confirmation code right away. The bot then sent an eight-digit confirmation code to the attacker's email address, followed by a password reset link. Where Meta's automated identity check kicked in, the attackers got around it by running the victim's public Instagram photos through AI video generators, according to The CyberSec Guru. That produced realistic-looking selfie clips that fooled the automated security checks. A textbook confused deputy attack The CyberSec Guru calls the incident a textbook example of a well-known problem in IT security called the confused deputy. A helper system holds more privileges than the actual user, and an attacker tricks it into exercising those privileges on their behalf. The AI assistant was allowed to swap email addresses and reset passwords, actions a regular Instagram user can't trigger directly. Anyone who asked the bot nicely got those actions performed without even being logged in first. At its core, this is a prompt injection with particularly expensive consequences. The language model can't reliably tell the difference between a harmless user request and a malicious instruction, as both are just text. The CyberSec Guru draws a comparison to SQL injection, where inputs also get misread as commands. The difference is that SQL can be locked down with clear rules. A language model has no clean separation between data and instructions. As such, for irreversible steps like a password reset, there should have been a hard, non-negotiable check, like a confirmation sent to the original email address on file, or a push notification to an already verified device. That safeguard was missing from the API path the AI could call. When support isn't a person anymore Meta announced in March that it was rolling out AI support for all Facebook and Instagram accounts, including password resets and security-related maintenance. On the product page, Meta advertised solutions rather than suggestions, along with account security and recovery features, according to 404 Media. In a blog post, Meta explicitly pitched the AI as a defense against account takeovers, saying it would detect suspicious location changes and password swaps. Instead, it was the way in. Affected users told 404 Media they couldn't reach a human through regular support channels. Anyone who wants to officially dispute a stolen account ends up in Meta's manual review process, which The CyberSec Guru says takes days, not minutes. By the time an account gets recovered, it's already been resold on Telegram. The patch fixes one variant, not the problem The wave of high-profile takeovers started on Friday, May 29. Meta shipped an emergency hotfix that same evening, disabling the vulnerable AI flows that had write access to email binding and password resets. The company publicly confirmed the fix on Monday in a statement to 404 Media, saying the issue was resolved and affected accounts were being secured. But according to The CyberSec Guru, the underlying method had been quietly working for months. The first mention in relevant Telegram channels dates back to late March. Meta pushed back on framing the incident as a data breach. There was no intrusion into its own systems, the company said, and users' Instagram accounts were secure. The CyberSec Guru counters that while this is technically true, it doesn't change the outcome much. For a user who lost a valuable short handle overnight, the difference between an intact database and a stolen account is academic. A logic-level flaw that enables account takeovers at scale is very much a breach of trust, even if no database row was touched. However, CyberSec Guru reports another possible exploit that was still unpatched at the time of publication and already circulating on Telegram. This method apparently works through Facebook's recovery flow. Attackers reportedly get Meta AI to activate a so-called development mode, then pad their request with supposed evidence of account compromise along with an email address.