In italian we say "l'operazione è riuscita perfettamente, ma il paziente è morto" -> "the surgery was a complete success, but the patient died"

Read that as "worked as written" and "we disclaim any consequential or incidental damages and do not warrant this software."

I continue to believe we could fix a lot of things in the US if we updated the UCC[1] to disallow 'disclaiming liability on software used in a product.'

[1] Universal Commercial Code -- https://www.law.cornell.edu/ucc

The tool worked correctly and as intended, but due to a bug it did not work correctly nor as intended.

That sounds a lot like the justifications Claude and ChatGPT give when confronted about something they did wrong, or when asked to provide a customer support response about software issues

Calling it a "bug in a separate code path" is so strange.

Are they indicating that their internal services were always compromised, it just took some AI with tool calling to discover it?

Oh it was a downstream dependency. The tool worked, it was the downstream dependency. Glory to Arstotszka

The argument here is that the AI is a glorified input page. The input field asks for your username and email and sends it to a backend function. Such an input page is working as intended.

The problem is when the backend function doesn't verify that the email matches the username.

Maybe they’re communicating exactly what it sounds like and are just owning up to being complete morons?

Error: Success!

I like to dunk on Meta as much as the next guy, but I think this makes sense: deterministic verification like this is not, and should never be, the LLM’s job. The tools it has access to should enforce the permissions layer, ensuring that the LLM can never perform actions the user themselves should not be allowed to perform. In this case, the tool failed to do that.

I'm sure. It was not working properly nor as intended.

What was that mantra? Something about broken software is what they aim for?

Then ‘ The tool itself’ was not appropriate to the job in the first place

> The tool itself worked properly and functioned as intended

The author of the post is close to the author of the AI code on the org chart

> however due to a bug in a separate code path, the system did not properly verify

The author of the post is far from the author of this "code path" on the org chart

so how long was the bug there? was there a way to access it before/without the support agent? it feels like Meta will throw anything under the bus to redirect blame from the AI, because that would be the end of their $600B (depending on “which number you want to go with”) experiment

How very Wernher von Braun of them.

There should have been a test case for this. There wasn't because most shops don't actually test their product. They do some test theater such as unit testing.

This-is-fine.jpg

Isn't that exactly what they said when Cambridge Analytics data gathering happened?

Of course.

What I gather is that this internal tool was used by human support agents, and it was their responsibility to verify the email adresses and general validity of a claim.

But when implementing AGI TM that was overseen, maybe the oversight in the separate code path was a 'bug', but the mistake was making the chatbot obviously, if the separate code path had a bug, then it had become ossified into a feature, and it was internal, not exposed to the public.

This is an external communication, to save face sure, but if this is the internal excuse, it would be absolutely the wrong RCA and it reads as if the one who made the mistake is not admitting they made their mistake. Which to be honest, just making the mistake is enough to get fired, but not admitting it is enough to get ultra fired.

No fan of Meta, but I think "staggering" is properly determined by the percent of users affected rather than the absolute number. It's staggering to an SMB with 100k customers; it's bad, but not "staggering" to an internet juggernaught with 3B MAU.

This could avoid flagging by Meta explicitly allow bot traffic to do stuff with impunity on its services. Don't tell me an army of people went through and compromised acct by acct.

One can only hope EU gives them a GDPR fine very close to the limit of 4% of global turnover. But when EU is actually need to protect customer I think they will fail.

> Meanwhile an account I created for a new product

Meta requires the main account to be created for a person, not a product, business, or non-human entity. That's why you got hit with the "Please confirm you are a human" confirmation and then the account was locked for violating community standards, which require primary accounts to be people.

The community standards page in the links they sent you are pretty dense and it's easy to think you're not violating anything if you're not posting adult content and the other obvious categories. This is the section you violated:

> Create an account that represents a non-human entity, such as a business, pet, or fictional character

You have to follow the steps to set up a business page from your personal account. Sorry you didn't know this before going through the process, but it's important to read the proper channels for setting up business pages on all of the social media platforms these days. They're all dealing with an onslaught of spam and scam pages and they're under a lot of pressure to keep them out.

This is extremely common, unfortunately, to a point where it's a known/expected outcome when you're first creating a brand or product page among those in the biz.

If this doesn't work, I'd encourage you to reach out to a brand/ad agency and pay them $100 to ask their meta contact to help you get unblocked. You pretty much have to know someone who knows someone at meta in order to create these.

Tip: Do not post about this on twitter or other platforms - you'll get a ton of automated spam.

Try using an anti-detect browser. They're built for making new accounts among other things.

They're awful with this. Any time I try to create an account to use for business purposes I'm asked for id within minutes and then they still ban the account. You need to fun everything through your personal account.

I tried creating an entirely separate account for a meetup group and had the same problem. Nothing I tried worked.

There's an excellent little book in German called "KI und der Neue Faschismus" [1] (AI and the New Fascism) where the author (Rainer Mühlhoff) tries to warn about the dangers of decisions based on opaque statistical models (like LLMs) instead of a clear, human auditable decision process.

[1]: https://rainermuehlhoff.de/KI-und-der-neue-Faschismus-Reclam...

Did you create the account separately? Or as an asset of your main Meta account (like Meta Business Suite)?

I'm creating the accounts in Meta Business Suite, so I would have a recourse with my main personal account which can be linked to some adspend, so I'm assuming it will have better support channels than accounts created through an end-user interface.

Realistically, how will this affect Meta at all? Some people are pissed, nobody else cares, business as usual.

Somehow this company still earns over a billion dollars a week in net profits, which I find puzzling.

What are their alternatives? I'm assuming that most of the 22k people with large audiences that need a large platform to reach them. Meta unfortunately, is the only platform that allows people to reach across many demographics. Its the people that follow the 22k accounts that are important, and they are unaffected by this and thus aren't leaving meta (and 99% won't even know this happened or care).

That sweet koolaid taste, how could one resist?

...They really ahouldn't have, and I wonder how this will affect all the big AI IPOs. After all, Meta is one of the big players in the space. Surely if they can't do it right, then...

Account recovery is by far the #1 kind of ticket any service will get. Either because people forget their credentials, lose their credentials, get hacked or get impersonated - and that's just the legitimate tickets, on top of that come illegitimate tickets from everyday script kiddies over ransom extortioners (i.e. the people that aim to steal "valuable" handles) to nation-state actors that, say, want to get access to DMs of people messaging oppositional accounts.

That in turn means three things... it costs a lot of money to have humans look at these tickets, the PR damage from both acting and not acting on such requests can be immense, and users/customers can be anything from the smartest and richest people on the world down to the kind of utter imbeciles whose brains get surpassed by bears [1] or who plainly are not able to write. To make it worse, often enough online services don't have any kind of tie back to some known government-issued ID (either directly or by a proxy such as a mobile phone SIM), there's corruption involved on all levels, and for particularly "juicy" targets the stakes, if they can be converted to a monetary amount at all, can reach into the millions of dollars.

Now, Instagram alone has 3 billion (!) users from across the world, so they are bound to not just having to spend a lot of money on user support (remember, we are talking about the entire world, they also need to deal with about 7.000 (!) actively spoken languages, and having attack targets that are as powerful as US Presidents or as rich as Elon Musk. Clearly, the risk management involved in the entire idea was horribly deficient, but let's not act like this is a trivial problem domain in the first place. And hence the push for AI, simply because it - if done correctly - can take a lot of work off of the first-level support desks for a fraction of the money.

[1] https://velvetshark.com/til/til-smartest-bears-dumbest-touri...

[2] https://www.sapiens.org/language/world-languages-counting-me...

The nature of the invention is for people to relieve themselves of the burden of having to use their minds. And while there will be exceptions, (including, I'm sure you: the person reading this comment,) the vast majority of people are hungry to use AI in that spirit of being able to be lazy.

Shouldn't even have the ability to reset the user's own account

In their defense, they asked the LLM to make no mistakes

Because software professionals are conflating simplicity of user experience with simplicity of dev experience.

During development they were likely not thinking of the user experience, nor even the support agent experience, but on their development experience, they asked the LLM to develop the chatbot, and it worked, and the speed was documented and reported upstream so that shareholders invest, if there is any forethought it would go against the narrative of AI becoming the engineer or 100xing productivity.

2FA did not help according to the primary finding

https://news.ycombinator.com/item?id=48359102

It won’t be.

also this is more like them leaving the keys in the door, then someone comes along, uses the keys, and steals all your stuff.

truthfully, no equipment is actually defective in this scenario eh?

> God can only hope this is a business ending lawsuit.

You realize this is the company that enabled a genocide and got away with it? Not to mention accelerating teenager suicides with full knowledge.

Meta's brand is already toxic. Idk if there's much to lose there.

> Date(s) Breach Occured: 04/17/2026

> Date Breach Discovered: 05-31-2026

No, it's still abuse. Just like it's still stealing even if I left my front door unlocked.