Monday, June 1, 2026

Meta patches flaw that allowed MetaAI support bot to hand out password reset links without 2FA

meta-patches-flaw-that-allowed-metaai-support-bot-to-hand-out-password-reset-links-without-2fa
Meta patches flaw that allowed MetaAI support bot to hand out password reset links without 2FA
Mark Zuckerberg's personal Facebook account is displayed on a mobile phone with the Meta logo visible on a tablet screen in this photo illustration in Brussels, Belgium, on January 7, 2025.
(Image credit: Getty Images / NurPhoto)
  • Cybercriminals tricked Meta’s AI customer support agent into forwarding password reset codes
  • Stolen short‑handle accounts, valued at over $1M combined, were listed for sale across Telegram
  • Attack highlights risk of delegating sensitive tasks to AI systems

Cybercriminals successfully pulled off a social engineering attack against Meta’s customer support, tricking the representative into initiating a password reset sequence without asking for any identity verification.

The news here is that the representative was actually an AI agent, not a human being at all. The researchers who disclosed the attack stressed just how dangerous it is to hand over sensitive assignments to AI. Meta fixed it soon after.

According to reputable researchers ZachXBT and Dark Web Informer, cybercriminals engaged in conversation with Meta’s AI chatbot and had it forward password reset codes for someone else’s accounts. The target accounts are premium, short-handle ones, that usually have millions of followers and as such can be sold for a lot of money on the black market.

Selling the stolen accounts

In fact, the researchers mentioned two specific accounts – @hey and @jowo, which were allegedly being sold in Telegram channels for “over 1 million combined”, Cybersecurity News reports.

Researchers were following the sales activity, tracking the stolen account listing circulating across different hacking collectives on Telegram.

Meta fixed the issue last Friday night: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems and people’s Instagram accounts remain secure,” the company said in a follow-up announcement.

Users are constantly being warned about social engineering and phishing attacks, and advised on how to keep their accounts secure. In this case, however, there is nothing they could have done, since the attack targeted the platform itself, not its users.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Still, having multi-factor authentication (MFA) is probably the best way to protect against phishing and social engineering, but it is important that the one-time codes are not being sent via SMS. Also, registering an account with a private, unknown email account is a solid strategy as well.

Best antivirus software header

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts