At a glance.
- Threat actors compromised more than 20,000 Instagram accounts via Meta's AI support tool.
- Meta files contempt order against NSO Group.
- Nemisis Market dealer sentenced to 26 years in prison.
Threat actors compromised more than 20,000 Instagram accounts via Meta's AI support tool.
Meta has confirmed that a bug in its AI support tool allowed threat actors to take over more than 20,000 Instagram accounts at the end of May, Infosecurity Magazine reports. The AI tool, called "High Touch Support (HTS)," is designed to help users regain access to their accounts by requesting a password reset link, but the tool failed to verify that the specified email address belonged to the particular Instagram account.
Meta said in a letter to Maine's Attorney General, "The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account. As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own. Upon resetting the password, the unauthorized party was able to log in to the account if the account holder had not enabled two-factor authentication (2FA)."
Meta has disabled the tool while the company fixes the issue.
Meta files contempt order against NSO Group.
Separately, Meta has asked a Federal judge to hold spyware vendor NSO Group in contempt of court, accusing the Israeli company of continuing to target WhatsApp users despite a permanent injunction prohibiting it from doing so, the Register reports.
Meta stated, "We successfully disrupted NSO-linked social engineering attempts, after investigating user reports. They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO. We also caught them creating test accounts and groups on WhatsApp, which we took down."
Nemisis Market dealer sentenced to 26 years in prison.
A California man has been sentenced to more than 26 years in prison for trafficking fentanyl and methamphetamine through the major darknet marketplace Nemesis Market, BleepingComputer reports. 39-year-old Darren Hughes of San Jose was convicted late last year and sentenced in May. The US Justice Department stated, "[Hughes] operated a vendor store offering free samples of methamphetamine on the Nemesis Market, one of the world’s largest dark web markets. When an undercover law enforcement agent contacted the vendor store, Hughes agreed to mail the law enforcement agent a free sample of meth from California to Chicago. Thereafter, on five occasions in 2023, Hughes sold the law enforcement agent meth and fentanyl pills in exchange for cryptocurrency. Hughes was arrested in Redwood City, Calif., in June 2023 after agreeing to sell additional meth to undercover agents in Chicago."
The Nemisis Market was one of the largest online criminal marketplaces before it was shuttered by German and US law enforcement in 2024.
