Meta’s rogue AI agent triggered a two-hour security breach after acting without employee approval

A Meta software engineer's AI agent posted unsolicited advice in an internal discussion forum last week, and when a second employee acted on that advice, it triggered a chain of events that left large amounts of company and user-related data accessible to unauthorized engineers for nearly two hours. Meta classified the incident as a Sev 1, the second-highest severity level on its internal scale, though the company said no user data was mishandled and there is no evidence anyone exploited the temporary access. The incident prompted the engineer involved to call for requiring agents to request explicit permission before acting on behalf of users and clearer labeling of AI-generated responses in internal forums.