Skip to content
Tech News
← Back to articles

The newest Instagram “exploit” is the goofiest I've seen

2026-06-01 | original
read original get Instagram Exploit Detection Book → more articles
Why This Matters

This Instagram exploit highlights a significant security vulnerability in the platform's account recovery process, allowing attackers to hijack accounts with minimal effort and bypass two-factor authentication. For consumers and the tech industry, it underscores the urgent need for more robust verification methods to protect user accounts from simple yet effective attacks.

Key Takeaways

Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked. I've seen my share of exploits and takeover techniques, but this is the most unserious, "almost too stupid to be true" of them all.

The Takeover Flow

Step 01: Faking the Location & Initiating Support

All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram's security algorithms don't suspect a thing. (You can quite easily get this from your public profile or "About" section or a hundred other ways.) Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control.

Step 02: That's It

Really, that's it. The first proper zero auth password reset I've seen in production. There appears to be no additional check as to whether the email being given is actually something the user has used before. Once the AI sends the security code to the attacker's email, the attacker passes it right back to complete the verification. The platform hands over a fresh password reset link, granting full ownership to the attacker.

Instagram's AI may or may not ask the attacker for a video selfie to prove identity. It's not particularly discerning at the moment, so something as simple as an AI animated public photo from the target's feed has been widely reported to work.

2FA Doesn't Help

In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.

Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.

... continue reading

Explore topics: instagram meta account hacking zero auth security
Related:
PewDiePie Is Here to Offer You Privacy Assurances in the Age of AI
Hackers hijacked Instagram accounts by tricking Meta AI support chatbot into granting access
Nvidia, Meta and SLB rank among top companies in adopting AI, new study says
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
Zigging when most are zagging, ex-Meta CTO raises $250M climate fund

© 2026 GoKawiil

About | Editorial Policy | Contact