The newest Instagram “exploit” is the goofiest I’ve seen

Several high-profile Instagram accounts, including the Obama White House account, were hacked using a surprisingly simple exploit that bypassed two-factor authentication and involved manipulating Instagram’s AI support system. The attack highlights significant security vulnerabilities in Meta’s account recovery process, which could have widespread implications for user security.

According to reports from Hacker News, attackers used a straightforward method to hijack accounts by impersonating the account owner to Meta’s AI support. They started by providing the account username and then used a VPN or proxy to appear from the correct region. The attackers then instructed Meta’s AI to send verification codes to an email address they controlled, bypassing traditional authentication checks. Once the code was received, they completed the verification process, gaining full control of the account. This process effectively reset the account password and revoked existing sessions, with no additional human verification or alerts to the original owner. The exploit was active for weeks before Meta patched the vulnerability, which allowed such account takeovers with minimal effort. Black market Telegram groups offering similar account hijacking services have since quieted down, indicating the flaw has been addressed.

Why It Matters

This incident exposes a critical weakness in Instagram’s account recovery system, which relies heavily on AI support that can be manipulated with minimal checks. The ease of hijacking high-profile accounts, including government-related ones, underscores the potential for malicious use, such as propaganda, misinformation, or financial theft. It raises questions about the robustness of Meta’s security protocols and the risks posed by AI-driven support systems that lack sufficient human oversight.

Yubico – Security Key C NFC – Basic Compatibility – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified

POWERFUL SECURITY KEY: The Security Key C NFC is the essential physical passkey for protecting your digital life…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

In recent months, Instagram and Meta have faced increasing scrutiny over account security. This particular exploit was active for weeks, suggesting gaps in their security defenses. The attack method involved minimal technical complexity, relying on social engineering and AI support automation. Meta has since patched the flaw, but the incident highlights ongoing vulnerabilities in automated account recovery processes.

“The support AI just sends the verification code to an email you control after a simple request. No real checks, no human review.”

— Hacker News user

“We have identified and patched a security vulnerability related to account recovery to protect our users.”

— Meta spokesperson

What Remains Unclear

It is not yet clear how many accounts were affected in total or whether similar exploits could be used against other platforms with comparable AI support systems. Details about the specific technical loopholes and whether additional safeguards will be implemented remain to be seen.

What’s Next

Meta is expected to review and strengthen its account recovery protocols, possibly adding human oversight or additional verification steps. Further updates may reveal whether similar vulnerabilities exist in other parts of the platform or in other Meta services.

Key Questions

How did hackers hijack high-profile Instagram accounts so easily?

They exploited a vulnerability in Meta’s AI support system that allowed verification codes to be sent to attacker-controlled emails with minimal checks, bypassing two-factor authentication.

Has Meta fixed the exploit?

Yes, according to Meta, the vulnerability was patched shortly after it was discovered, ending the active phase of the exploit.

Could this happen again?

While the specific vulnerability has been addressed, ongoing reliance on automated support systems without sufficient oversight could leave room for future exploits if not carefully managed.

Are other social media platforms vulnerable to similar attacks?

It is possible, especially if they rely heavily on AI or automated support for account recovery without robust human verification steps.

Source: Hacker News