Post by Kansas City Managed IT

AI will hand over your 2FA. Meta's AI just did. Last weekend, hackers opened a chat with Meta's AI support bot. Asked it to link a new email to an account they didn't own. The bot, with full backend access to Meta's account systems, sent the verification code to the attacker's email instead of the one on file. From there: password reset, account locked, owner gone. The whole thing took minutes. Accounts without 2FA fell instantly. Accounts with 2FA fell anyway, when attackers added AI-generated selfie videos to fool Meta's identity check. That's the new attack surface. AI agents with privileged access to account systems, sitting in front of every login flow on the internet. Each one is a potential "confused deputy," a helper with elevated permissions, tricked into using them on someone else's behalf. The concept dates to 1988. The new twist: the deputy is now a language model, and anyone who can write a polite sentence can redirect it. Every business is deploying these same kinds of AI agents right now. Into customer service. Account recovery. Internal workflows. If yours has any AI acting on behalf of users, three questions matter more than anything else: · What does it have permission to do? · Who verifies the user behind each request? · Where does the verification code go? If you can't answer those, your 2FA is held together by the assumption that no one will ever ask your AI nicely. Last weekend proved that assumption wrong. How confident are you in the AI you've already turned on? #AI #Cybersecurity #ManagedIT #SmallBusiness #KansasCity