The National Cyber Security Centre (NCSC) has issued an emergency alert this morning after a sophisticated breach of Instagram’s AI-powered chatbot, Meta AI. British users are being urged to disable the feature immediately as the hackers exploited a vulnerability in the natural language processing layer to exfiltrate personal data and inject malicious prompts. This is not a drill: the attack, believed to originate from a state-sponsored group, weaponised the chatbot’s ability to mimic human conversation, tricking users into sharing login credentials and payment details. The NCSC warns that the breach could affect millions in the UK, given the chatbot’s integration into direct messages and stories. Technology & Innovation Lead Julian Vane examines the implications.
First, let’s understand the attack vector. Meta AI, rolled out globally last year, uses a large language model to suggest replies, edit photos, and answer queries. The hackers, tracked as ‘GhostNet 2.0’, reverse-engineered the model’s prompt engineering safeguards. They injected a payload that made the chatbot respond to specific keywords with phishing links, hidden in seemingly benign answers. For example, asking ‘What’s the weather like?’ could trigger a response with a malicious URL disguised as a Met Office link. Once clicked, that allowed remote access to the user’s device, including camera, microphone, and contact lists. This is a chilling escalation of AI-powered social engineering.
The NCSC’s emergency guidance is threefold. First, disable the chatbot in Instagram settings: Settings > Privacy > Meta AI > Toggle Off. Second, change your Instagram password immediately, and enable two-factor authentication using an authenticator app, not SMS. Third, monitor bank accounts and credit reports for unusual activity. The NCSC has also activated its Cyber Incident Response teams to assist affected users, but the sheer scale of the attack suggests this could take weeks to contain. Meta has not yet commented, though an internal memo seen by our newsroom confirms they are ‘working on a patch’.
This incident raises deeper questions about the unsupervised deployment of AI in consumer products. We have been racing to integrate large language models into every app, from photo editing to customer service, without adequately stress-testing them against malicious inputs. The ‘Black Mirror’ scenario I have long warned about is now real: an AI that knows your preferences, your friends, your location, and your emotional state can be turned against you with terrifying precision. The GhostNet attack essentially turned Meta AI into a spy, harvesting data that could be used for blackmail, identity theft, or even political manipulation.
British users are particularly vulnerable because of the UK’s high Instagram penetration: over 35 million active accounts. The NCSC’s quick response is laudable, but it feels like putting a plaster on a broken leg. We need regulatory frameworks that mandate adversarial testing for any AI that interacts with the public. The EU’s AI Act has provisions for ‘high-risk’ systems, but chatbots that can scrape personal data are conspicuously absent. The UK’s Online Safety Bill is also silent on this specific threat.
For now, the tech community is mobilising. Independent researchers have already identified the malicious prompts and published blocklists. But this cat-and-mouse game is exhausting. The real solution is to design AI with security by default, not as an afterthought. This means using differential privacy to anonymise user data, encrypting local model inference, and implementing human-in-the-loop oversight for any sensitive actions.
The irony is that the same technology that powers the chatbot could be used to defend against it. AI anomaly detection systems can flag unusual prompt patterns in milliseconds. But deploying such defences requires Meta to share more data with security researchers, a trade-off it has historically resisted. Perhaps this breach will force a change of heart.
As I write this, my own Instagram is offline. I have followed NCSC guidance and switched off the chatbot. But the damage may already be done. The question haunting me is not whether this AI will be weaponised again, but when. And whether we will learn from this before the next, more lethal, exploit emerges. The future is here, and it is fragile. Stay safe, and stay sceptical of every friendly bot.
