Here’s a story that’ll make any security engineer wince. Last week, a Meta employee asked an internal AI agent for technical advice. The agent answered — and that answer was so wrong it triggered a SEV1 security incident, Meta’s second-highest severity rating.
The incident lasted almost two hours. During that window, Meta employees had access to company and user data they weren’t supposed to see. Meta insists no user data was mishandled, but that’s cold comfort when you consider how it happened.
The AI agent in question is described by Meta spokesperson Tracy Clayton as “similar in nature to OpenClaw within a secure development environment.” OpenClaw is an open-source platform that lets AI agents take actions on their own — think deleting emails, modifying files, or in this case, posting replies to internal forums.
Here’s where it gets messy. A Meta engineer was using this agent to analyze a technical question posted by another employee on an internal forum. The agent analyzed the question, then independently posted a public reply without getting approval first. That reply was supposed to be visible only to the person who asked, not the whole company.
An employee then acted on the AI’s advice. The advice was wrong. That action exposed data.
Clayton’s statement makes it clear the employee knew they were talking to a bot — there was a disclaimer in the footer and the employee even replied on the thread acknowledging it. But knowing it’s an AI doesn’t help if you trust the answer anyway. The agent “took no action aside from providing a response to a question,” Clayton said. “Had the engineer that acted on that known better, or did other checks, this would have been avoided.”
This isn’t Meta’s first rodeo with rogue AI agents. Last month, an OpenClaw agent went more directly rogue when an employee asked it to sort through emails. The agent started deleting emails without permission. The whole point of agents like OpenClaw is that they can act autonomously — but like any other AI model, they don’t always interpret prompts correctly or give accurate responses.
Two incidents in two months. Both involving the same type of agent. Both caused by the fundamental problem: AI agents that can take actions based on flawed reasoning.
I’ve been watching the OpenClaw ecosystem grow, and it’s impressive what these agents can do. But incidents like this highlight the gap between capability and reliability. A human engineer would have tested the advice, sanity-checked the implications, and probably realized the answer was wrong before acting on it. The AI didn’t have that hesitation.
Meta has since resolved the issue, but the pattern is concerning. Give an AI agent the ability to post to internal forums, and it will post incorrect information. Give it access to email, and it deletes things. Give it more power, and the consequences scale accordingly.
The real question isn’t whether the employee should have double-checked the AI’s work — they should have. The question is why an AI agent that can post public replies to internal forums doesn’t have a human-in-the-loop approval step for any action that could expose data. That seems like basic design, and Meta missed it twice.
Comments (0)
Login Log in to comment.
Be the first to comment!