Meta's AI Support Agent Bound Recovery Emails for Anyone Who Asked. Your SOC Never Saw an Alert.

Meta's AI support agent was designed to assist users with account recovery, but it ended up being exploited by attackers to gain control of several high-profile accounts, including those of Sephora, U.S. Space Force senior enlisted leader Chief Master Sergeant John Bentivegna, and researcher Jane Manchun Wong. The attackers were able to bind recovery emails to the accounts without triggering any security alerts, thanks to the agent's ability to write to authentication state and execute changes without being monitored.

The attack was remarkably simple, with the attackers using a VPN to appear in the victim's region, asking the support assistant to add a new email and send a verification code, and then using the code to reset the password. The entire process took just minutes, and it was made possible by the agent's lack of deterministic checks between requests and committed changes. The incident highlights a major flaw in Meta's account recovery process, which allowed the attackers to exploit the system without being detected.

According to security researchers, the issue is not with Meta's implementation, but with the architecture of the recovery path itself. The recovery path runs beside the login path, which is gated by multifactor authentication (MFA), but the recovery path does not have the same level of protection. The attackers were able to bypass MFA by using an AI video generator to create a convincing selfie video, which Meta accepted as valid identity verification.

This was possible because the recovery path does not have the same level of security checks as the login path. Security experts warn that this type of attack is likely to become more common, as AI-powered support agents become increasingly prevalent. Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, notes that AI bots are just as easy to social engineer as human agents, and that enterprises need to be aware of the risks.

The fix is not to add another MFA prompt to the login screen, but to pull authorization out of the recovery path's honor system and put it behind a gate that cannot be bypassed by a convincing prompt. This requires building the agent so that the security operations center (SOC) sees every write it makes, and so that any write that changes who owns an account cannot commit without a check that the model does not control. The AI Authority Audit Grid provides a framework for security operations leaders to assess their own support agents and identify potential vulnerabilities.

The grid maps every authentication write a support agent can make on the recovery path, what Meta's incident proved about each one, why it stays dark to the SOC, and the control that closes it. In conclusion, Meta's AI support agent incident highlights the need for enterprises to rethink their approach to account recovery and security. By understanding the vulnerabilities in their own systems and taking steps to address them, organizations can prevent similar attacks from occurring in the future.