In early June 2026, attackers exploited Meta's AI-powered customer support agent to hijack Instagram accounts. No sophisticated exploit: they simply convinced the AI to reset passwords. The operation was codenamed Mythos. The result? Hundreds of compromised accounts, brands hit, users locked out.
This isn't just a security incident. It's a symptom of a deeper issue: Big Tech is deploying AI in critical processes without adequate safeguards. When a chatbot can be manipulated to bypass authentication, it's not a bug – it's systemic design failure.
Why it matters for Italian SMEs
Thousands of Italian businesses rely on Instagram as a sales channel. A hijacked account means days of lost revenue, damaged reputation, confused customers. And Meta's response? Another chatbot ticket. We at Meteora Web manage e-commerce that depend on these platforms. We see it daily: SMEs' security is in the hands of third parties who don't answer for their flaws. The cost isn't just direct – it's the time wasted rebuilding trust.
Europe is debating the AI Act, transparency obligations. But this episode exposes the limit: regulation always arrives after the incident. We need a shift: direct liability for AI providers when their systems cause harm, automatic fines for avoidable security flaws, mandatory audits of AI used in critical processes. Otherwise, SMEs remain digital cannon fodder.
Our position is clear
We, at Meteora Web, have always said security is not optional. When a server breaks, an SSL certificate expires, a form lacks protection, the cost is real. But here it's not human error: it's a business model that rushes AI features to market without proper security testing. Big Tech treats security as a cost, not an investment. Who pays? The small businesses that rely on these tools with no real alternatives. The AI Act must include liability for damages caused by model manipulation. Not guidelines, not recommendations – binding rules with fines that hurt.
The digital divide is also one of bargaining power. A company in Sciacca can't negotiate with Meta. Who should protect them? The European legislator. So far, too little has been done.
Here's what to do now: if you run a business profile on social platforms, enable two-factor authentication on every account, limit chatbot permissions, monitor active sessions. But most importantly: stop treating these platforms as reliable infrastructure. Build direct channels with your customers – email, owned website, CRM. The technology you own is the only one you control.
Sponsored Protocol
