Meta's AI chatbot handed attackers the keys to 20,000 Instagram accounts. Here is exactly how.

Meta wired its AI chatbot into account recovery. Attackers asked it to hand over access. It complied.

In March 2026, Meta rolled out an AI-powered support assistant across Facebook and Instagram. The feature was built for speed — faster account recovery, no waiting for a human agent, self-service password resets and email changes. Solutions, not just suggestions, the product page said.

What Meta built, without apparently realizing it, was a backdoor.

Starting April 17, attackers discovered that Meta's High Touch Support (HTS) tool — the AI chatbot handling account recovery — could be prompted to change the email address associated with any Instagram account. The attack required almost no technical skill. The attacker opened a chat with the support bot, used a VPN — a Virtual Private Network — to spoof the target's geographic region, and sent a message that amounted to: "Just link my new email address to this account." The chatbot sent a verification code to the attacker's email. The attacker shared the code. The chatbot offered a password reset. The account was gone.

The AI was not hacked with code. It was hacked with a conversation.

The accounts compromised include the @obamawhitehouse Instagram account — dormant since 2017, briefly displaying pro-Iranian political imagery — the U.S. Space Force Chief Master Sergeant's account, and Sephora's brand account. Security researcher Jane Manchun Wong, who monitors platform security professionally, had her own account taken over twice. Meta said it fixed the issue on June 1. By June 2, more accounts were being hijacked anyway.

Meta confirmed the breach in a filing with Maine's Office of the Attorney General. The official numbers: 20,225 accounts compromised nationally. The breach window ran from April 17 to early June — approximately seven weeks of an open door. Meta discovered the problem on May 31.

The issue is structural, not incidental. Meta wired a language model into a high-trust authentication flow — one that could change account credentials — without adequate identity verification. The system was designed to be helpful. It was not designed to be skeptical. Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, told KrebsOnSecurity that AI chatbots create a new attack surface and that such systems are as open to social engineering as human agents — eager to help and easy to persuade.

This is the AI governance problem in concrete form. Not a theoretical risk about future systems. A real authentication failure, on a platform used by three billion people, that ran undetected for six weeks because the attack looked like a support conversation.

The legal dimension: Meta's prior regulatory history is relevant here. Ireland fined the company €265 million in 2022 for failing to protect user data from scrapers and €91 million for storing passwords in plaintext. The HTS incident adds a new entry — an AI tool deployed in a security-critical context performing privileged account actions without basic identity verification. GDPR exposure and FTC scrutiny are both credible downstream risks.

The Gentlemen ransomware spreads itself. 332 victims in five months. And their own servers just got hacked.

The Gentlemen is a Ransomware-as-a-Service (RaaS) operation — meaning the group builds and maintains the ransomware platform, then licenses it to affiliates who carry out the actual attacks in exchange for a cut of the ransom. Most RaaS operations offer affiliates 70-80% of the payout. The Gentlemen offers 90%. That model has worked. 332 confirmed victims in the first five months of 2026 makes it the second most prolific RaaS operation globally.

What makes The Gentlemen technically distinctive is the self-propagation capability. Most ransomware requires an attacker to manually move through a network before detonating. The Gentlemen's encryptor — written in the Go programming language — does it automatically. Once it lands on one machine, it enumerates network shares, traverses connected systems, and spreads without ongoing human intervention. The most powerful deployment method: using Active Directory's Group Policy infrastructure to simultaneously detonate the ransomware on every computer in the domain at once.

Before encrypting, the malware disables Windows Defender and other endpoint protection tools, terminates backup and database processes, deletes shadow copies — the automatic Windows backup snapshots — and cleans event logs to limit forensic visibility. By the time a security team notices something is wrong, the encryption is already complete.

In early May 2026, The Gentlemen got a taste of their own medicine. Researchers breached the group's own backend infrastructure — a Rocket.Chat server — and extracted 3,366 internal messages. The leaked logs exposed affiliate rosters, ransom negotiation transcripts, operational tooling discussions, and server credentials. One thread confirmed a direct infrastructure link to Black Basta, an earlier ransomware brand that law enforcement disrupted in 2025. The same negotiator handle appeared in both operations' logs.

The sectors targeted: Healthcare, education, transportation, and financial services across North America, South America, Europe, Africa, and Asia. The FBI's 2025 Internet Crime Report found healthcare recorded 460 ransomware attacks in 2025 — the most of any critical infrastructure sector. The Gentlemen is actively targeting all of them.

SolarWinds is being exploited again. CISA added it to the KEV catalog. Federal deadline is June 19.

SolarWinds Serv-U is a managed file transfer and FTP server used extensively by organizations in healthcare, finance, and government — sectors that require secure, auditable file transfers with strict data sovereignty requirements. It is exactly the kind of infrastructure that holds sensitive regulated data. On June 5, CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild.

The vulnerability is classified as an uncontrolled resource consumption flaw — meaning an attacker can force the software to exhaust system resources until it crashes. The attack requires no authentication. An unauthenticated attacker sends a specially crafted HTTP POST request with a compressed payload that the Serv-U service cannot properly handle. The service crashes. File transfers stop. And in a broader attack chain, a crashed file transfer server creates a distraction window while other malicious activity proceeds undetected.

SolarWinds Serv-U has a documented history as a high-value target. The Clop ransomware gang previously exploited a Serv-U remote code execution flaw in 2021. Chinese state-sponsored threat group DEV-0322 weaponized the same flaw in zero-day attacks. CISA's current KEV listing for CVE-2026-28318 carries a CVSS score of 7.5 — high severity — with a federal remediation deadline of June 19, 2026 under Binding Operational Directive 22-01.

The fix: SolarWinds has released Serv-U version 15.5.4 Hotfix 1 addressing the vulnerability. As an interim mitigation, blocking requests containing the "content-encoding" header eliminates the attack vector since Serv-U does not require that functionality. If you manage Serv-U deployments — patch now. The federal deadline is not the relevant deadline. Active exploitation in the wild is.

The Silent Ransom Group is walking operatives into law firm offices. 38 firms have already been leaked.

The Silent Ransom Group — tracked by researchers as UNC3753, Luna Moth, and Chatty Spider — is a Russia-linked extortion operation that has been targeting U.S. law firms since 2023. This week, Mandiant released a detailed report on the group's January through May 2026 campaign, and the FBI issued a concurrent FLASH advisory. The headline is not the vishing. It is the in-person component.

Here is how the attack chain works. The group sends a benign-looking invoice-themed email to a target employee — something designed to look like a routine billing issue that needs attention. The email prompts a callback. When the employee calls the number, they reach an attacker posing as their own IT helpdesk. The attacker convinces the employee to join a remote support session via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services. Once inside, the attacker exfiltrates sensitive data and disconnects — telling the employee the overnight maintenance is complete. Ransom demand follows within hours. Victims typically get three days to negotiate.

The escalation: In at least some confirmed cases, the group has sent physical operatives into law firm offices posing as IT technicians, extracting data directly to USB media from local computers. This moves the threat from a cyber operation to a combined physical and cyber operation.

Mandiant is explicit about why law firms are the target: they maintain concentrated repositories of client transaction files, merger and acquisition plans, trade secrets, and corporate regulatory reports. The extortion letters are written to maximize pressure — explicitly referencing reputational and regulatory damage if the breach becomes public. Thirty-eight firms have already had data leaked on the group's public leak site. Orrick, Herrington & Sutcliffe — a firm with over 25 global offices and $1.5 billion in annual revenue — was among them after declining the ransom demand in January 2026.

The group does not use ransomware encryption. There is no locked system to unlock, no decryption key to negotiate for. The leverage is purely the threat of public data exposure. That distinction matters for incident response: there is no technical recovery path. The only question is whether the data gets published.

AI chatbots are the new social engineering target. Meta is not the only platform that should be worried.

The Meta HTS exploit is not an isolated incident. It is a preview of an attack category that is going to expand significantly as more companies wire AI into customer service, account management, and support workflows.

The underlying vulnerability is not a software bug in the traditional sense. It is an alignment problem. Large language models — the AI systems powering these chatbots — are trained to be helpful, coherent, and persuasive. They are not naturally skeptical. They do not have the trained instinct that a human support agent develops over months of encountering fraudulent requests. When an attacker frames a request the right way, the AI complies because compliance is what it is optimized to do.

The Meta attack required no malware, no phishing link, no stolen password, and no technical expertise. It required a conversation. The attacker asked the AI to do something it had the technical capability to do, framed the request in a way that sounded routine, and the AI did it.

Every company currently deploying AI chatbots with access to account management, password reset, payment processing, or credential changes needs to be asking the same question: what actions can our AI take, and what verification is required before it takes them? If the answer to the second question is "it sends a code to the email address the user provides" — that is not verification. That is the attack.

For individuals: Enable two-factor authentication (2FA) on every account that supports it. The Meta exploit specifically did not work against accounts with 2FA enabled — the additional verification layer was enough to block it. This is the single most effective control available to individual users right now.

Privilege escalation flaws in Phoenix Contact industrial controllers could give attackers root access to physical systems.

Nozomi Networks Labs this week disclosed a vulnerability chain affecting Phoenix Contact PLCnext industrial controllers — the Programmable Logic Controllers (PLCs) that run physical processes in manufacturing, energy, water, and critical infrastructure environments. The researchers found that weaknesses in privilege management allowed a lower-privileged user to interact with components operating at higher privilege levels, ultimately enabling unauthorized actions beyond the permissions originally assigned.

In plain terms: an attacker who gains limited initial access to one of these devices can escalate to root — the highest level of access — and from root they can modify control logic, alter setpoints, disable safety interlocks, or manipulate the physical processes the controller manages. In an IT environment, root access on a server means data exposure. In an OT environment, root access on a PLC means potential physical consequences — pumps, valves, turbines, and manufacturing equipment operating outside safe parameters.

Phoenix Contact's PLCnext platform is notable because it combines traditional PLC control functions with an open software architecture — meaning it runs a real operating system and supports third-party applications, unlike older PLCs that ran proprietary firmware. That openness creates capability. It also creates attack surface. The same web interface and API that enable remote management also provide the interface that Nozomi's researchers exploited.

The ISA/IEC 62443 standard — the international framework for industrial cybersecurity — specifically addresses privilege management and defense in depth in OT environments. Organizations running PLCnext devices should review their zone and conduit architecture and confirm that web interfaces are not exposed beyond the control network. If you have not conducted a security assessment of your PLCnext deployment, now is the time.