“Abusing”
From what I heard, all they did is ask to reset a password. Is that “abuse”, or a failure of the chatbot?
failure of a company
It’s technically abuse because the actors didn’t have the authority to ask for a password reset for those accounts. It’s the legal shenanigan they use to avoid culpability.
It is however stupid, but only the stock price will hold them accountable.
And they gave the chatbot account management permissions why?
And if the fix is to tell the chatbot “don’t do that” (by putting in guardrails to the bot itself) then it’ll happen again and again as long as it still has rights to make those changes.
It replaced support staff
“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” said Meta in its breach notice.
Why is the chatbot providing the e-mail address in the first place? It should just have a function it can call that triggers an account reset mail to be sent for a given account, with no other parameters.
This statement reads like they wanted to shield their use of AI from critique, but in making it, they’ve admitted to a level of carelessness which could very well get them sued under the GDPR. What a load of hubris.
that’s gotta be among the dumbest ways to get hacked
Right up there with giving the hacker your password because he called, pretended to be tech support, and asked you for it.
