New AI Realities of Unintended Consequences
6–8–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, June 8, 2026, and, at least as I’m recording this, the war in Iran continues and the Strait of Hormuz remains closed.
New Realities of Unintended Consequences
This week, we’re going to talk about an example of Unintended Consequences, but hopefully do so in a way that’s more instructive rather than punitive.
We learned last week that an AI chat bot created by Meta (you know, the company that used to be called Facebook) was used to hijack instagram accounts.
What happened? Fair question. According to reporting from This Week in Security, it would appear that “hackers abused a flaw in Meta's chatbot that allowed anyone to reset the password of any account that did not have two-factor authentication switched on. The bug tricked the chatbot into sending a verification code to an email address controlled by the hacker, rather than the account holder's email address on file, simply by asking it. The chatbot complied anyway.”
In a filing made with the Maine Attorney General, Meta noted that more than 20,000 people have been impacted by this bug, and in their letter described the pattern as:
"The tool itself worked properly and functioned as intended; however due to a bug in a separate code path, the system did not properly verify that the email address provided by the individual requesting a password reset matched the email address associated with that user’s Instagram account.”
"As a result, when an individual provided an email address not previously associated with the account, the system incorrectly sent a password reset link to that unassociated email rather than rejecting the request. This allowed unauthorized third parties to receive a password reset link for accounts they did not own.”
So, essentially an input validation logic issue, but at Meta scale with AI doing whatever the nice hackers asked it to. And, once attackers figured out they could exploit this path, they rapidly spread the information on their Telegram channels, increasing the negative impact.
Not great.
But also not surprising.
In fact, I think we’re going to continue to see more and more of these types of unintended consequences cropping up as there’s a rush to deploy both AI (in the form of chatbots and other mechanics) and software that was written by AI (e.g. vibe coded) that suffers from some fundamental flaws.
We’re living in a space that’s both deeply interconnected, and where velocity seems to be the most valuable property of any of our actions. As a result, things are getting out the door without sufficient diligence, testing, or threat modeling - and we learn these lessons the hard way (e.g. unintended consequences).
Many of these challenges are not even unique to AI, and if they’d followed the OWASP Top 10, more than a few of those OWASP Categories could’ve kept them from stepping on this rake.
They don’t even have to get to the fancy new LLM-specific OWASP Top 10s, though they probably should.
And so should you.
Like we often discuss on this show, getting the basics right makes such a difference in the security and resilience of your applications, infrastructure, people, etc. Cutting corners might seem like a way to get there faster, but at what cost? That’s the risk of unintended consequences.
Fundraising
From a fundraising perspective, more than $21.5B in newly committed capital this week, including:
Blackstone raising $13.1b for its third Asia buyout fund; and
Eurazeo raising €3.9b for their seventh direct lending fund.
By way of IPO updates, a close reading of the SpaceX S-1 indicates that 93% of their proposed $28.5T estimated future market comes from AI (in the form of Grok), so color me skeptical on that one.
We also learned that Anthropic has filed their initial IPO paperwork confidentially, so we’ll be learning more there in the coming weeks. They also (conveniently?) called for others to slow the pace of AI development to prevent “significant societal risks.” So, again, color me skeptical on that one, as well.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/
https://www.sec.gov/Archives/edgar/data/1181412/000162828026036936/spaceexplorationtechnologi.htm