Severe Meta Cybersecurity Incident Caused by AI Agent

The Information reports that a cybersecurity incident classified as the second-highest severity level Sev 1 occurred due to an AI agent similar to OpenClaw.

The incident happened after a Meta employee used an in-house AI agent similar to OpenClaw to analyze a technical question from another employee in an internal discussion forum. The agent then posted a response to the original questions without confirmation from the employee. The employee who posted the question then acted on the advice from the agent.

For almost two hours, internal data about employees and users was accessible to engineers who weren’t supposed to have access to it.

Reportedly, there was no evidence that anyone took advantage of this access.

Meta classified the incident as Sev 1, the second-highest level of severity on an internal scale used to classify security incidents.

The employee told The Information that other security issues also contributed to the severity of the incident.

This isn‘t the first time AI agents have caused issues at Meta.

Sumnew Yue, Meta’s director of Safety and Alignment, asked OpenClaw to look over her emails and recommend what to delete and what to archive. She explicitly asked it to confirm before acting, however the agent began deleting emails without permission.

Even after telling it to stop multiple times, the agent kept on deleting emails.

With the rise of AI agent software these types of incidents are becoming more and more common as people rely on them more and more for seemingly innocuous tasks.

Many of these agents lack proper safeguards and sandboxing that other types of software have had decades to build up. It’s not an easy problem either: securing AI agents will requires whole new paradigms in security. Not only do they need to be secured against acting without permission like in these incidents, they also need to be secured against attackers.

Since AI can’t tell the difference between input and instructions, opening them up to prompt injection attacks, where an attacker replaces the instructions given to the agent with their own, bypassing safeguards and restrictions.

Trail of Bits previously wrote in a blog post about the weaknesses of agentic browsers. They compare the current shortcomings to those of early cross-site scripting attacks in early web browsers.

They give some detailed instructions on how the security of agents can be improved. Google has their own research on securing AI agents, and Microsoft describes how they try to secure agents in Windows.

We’re still in the early stages of AI agents, where the developers of the software are still trying to figure out the best ways to secure agents so they do what we want and only have access to exactly what they need at any given time. If you’re someone jumping on the AI agent bandwagon, it might be worth it to wait for the security research to catch up with this technology.