Clicking through to the 404 Media article, I found this gem of a quote:

In a March blog post called “Boosting Your Support and Safety on Meta’s Apps With AI” announcing its AI support feature, Meta said that the system can “Prevent an account takeover by noticing it was suddenly accessed from a new location, the password was changed, and edits were made to the profile—changes that, in isolation, look harmless to a person reviewing the account, but AI was able to recognize as a threat.”

The very thing they boasted about the AI protecting against, not only did it not work, but it enabled that kind of attack. And they didn’t detect the exploit internally: this has been trending on Telegram since March, and only when the social media activity got large enough did they realize. Epic fail on Meta’s part.

“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” said Meta in its breach notice.

Then the tool didn’t work properly nor did it function as intended.

The rest of that blubbering stream of excuses sounds like a toddler arguing why they deserve ice cream.

“The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account,” said Meta in its breach notice.

What