Skip to content
Tech News
← Back to articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

2026-06-01 | original
read original more articles
Why This Matters

This new Instagram exploit highlights a significant security vulnerability in the platform's account recovery process, allowing attackers to hijack accounts with minimal effort and bypassing two-factor authentication. For consumers and the industry, it underscores the urgent need for more robust verification methods to protect user accounts from such simplistic yet effective attacks.

Key Takeaways

Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked. I've seen my share of exploits and takeover techniques, but this is the most unserious, "almost too stupid to be true" of them all.

The Takeover Flow

Step 01: Faking the Location & Initiating Support

All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram's security algorithms don't suspect a thing. (You can quite easily get this from your public profile or "About" section or a hundred other ways.) Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control.

Step 02: That's It

Really, that's it. The first proper zero auth password reset I've seen in production. There appears to be no additional check as to whether the email being given is actually something the user has used before. Once the AI sends the security code to the attacker's email, the attacker passes it right back to complete the verification. The platform hands over a fresh password reset link, granting full ownership to the attacker.

Instagram's AI may or may not ask the attacker for a video selfie to prove identity. It's not particularly discerning at the moment, so something as simple as an AI animated public photo from the target's feed has been widely reported to work.

2FA Doesn't Help

In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.

Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.

... continue reading

Explore topics: instagram meta vpn account hacking zero auth
Related:
Zigging when most are zagging, ex-Meta CTO raises $250M climate fund
Malaysia's under-16 social media ban carries fines up to $2.5 million
Nvidia, Meta and Schlumberger rank among top companies in adopting AI, new study says
Meta Has a Ridiculous Amount of Smart Glasses Planned for This Year
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit

© 2026 GoKawiil

About | Editorial Policy | Contact