Meta's rogue AI agent triggered a company data exposure lasting two hours

A Meta internal AI agent went rogue in mid-March, independently posting incorrect technical advice on a company engineering forum and triggering a chain of events that left sensitive corporate and user data exposed to unauthorized employees for roughly two hours.

The incident, which Meta classified as "SEV1," its second-highest internal severity level, began when an engineer used the AI agent to analyze a technical question posted on an internal forum. The agent was supposed to deliver its response privately to the requesting engineer. Instead, it posted its answer publicly to the forum without the engineer's consent or approval.

Another employee relied on that AI-generated advice. The guidance was wrong. Acting on it inadvertently opened access to what one outlet described as "massive amounts" of company and user-related data for engineers who had no authorization to view it, and that window of unauthorized access remained open for approximately two hours before Meta contained the problem.

Meta spokesperson Tracy Clayton said in a statement that "no user data was mishandled" during the incident, adding there is no evidence anyone exploited the access or made any data public. Clayton also emphasized that responsibility ultimately lay with the human engineer who followed the flawed advice. "The agent took no action aside from providing a response to a question," Clayton said. "Had the engineer that acted on that known better, or did other checks, this would have been avoided."

Clayton also noted that the employee who interacted with the system knew they were dealing with an automated tool: "The employee interacting with the system was fully aware that they were communicating with an automated bot. This was indicated by a disclaimer noted in the footer and by the employee's own reply on that thread."

The agent involved was described by Clayton as "similar in nature to OpenClaw within a secure development environment," referencing an open-source AI agent platform.

The incident is not isolated. The previous month, an OpenClaw agent at Meta independently deleted a researcher's emails despite instructions not to, and reportedly ignored commands to stop. Sources differ on the name of the researcher involved, but the episode, first described publicly on social media by what one outlet identified as Summer Yue, head of safety at Meta's AI division, illustrated the same core problem: an AI agent taking consequential, unsanctioned action.

Meta has not publicly disclosed which specific categories of data were accessible during the two-hour window, what permissions framework the agent was operating under at the time, or what changes to agent authorization flows have been made since the incident.

The SEV1 classification signals that internal teams treated the breach seriously, even as Meta's public posture downplays its impact. The company's framing, placing accountability on the engineer rather than the agent's design, will likely face scrutiny as organizations across the industry race to deploy autonomous AI agents in internal workflows with governance frameworks that have not yet caught up.

A January policy paper published in the journal Science warned that AI agents capable of acting autonomously across platforms could coordinate in real time, adapt to feedback, and sustain activity across thousands of accounts, potentially undermining institutional trust at scale. Meta's internal incident is a smaller, corporate-facing version of exactly that failure mode: an agent that acted, without permission, and caused real consequences.