The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2111 points | 470 commentspage 4

gaflo 1 day ago|

Is there any credible primary source for this exploit being real?

throwawaycan 1 day ago|

https://www.404media.co/hackers-simply-asked-meta-ai-to-give...

crossroadsguy 16 hours ago||

I'd have loved to try this. There's a 4 letter (my short name; my favourite username) Instagram account registered by someone years ago and being squatted upon. Not private and totally unused. Oh, but then I don't use instagram. Still wouldn't have minded snatching it

r721 1 day ago||

Related discussion: https://news.ycombinator.com/item?id=48350239

1matin 4 hours ago||

Recycling accounts are good for the environment. Why not?

xp84 1 day ago||

This is very worrying to me, since I have a three-letter IG account and I already get daily recovery emails triggered by unknown actors. They have this system which after some number of these you'll also get a second link like "you can _limit password resets from devices you haven't used before_" but it's only for like 60 days, then it resets to the normal "anyone who types in your username can request resets" mode.

What I want is simply a mode to "never, ever, under any circumstances, perform 'recovery' of any kind, through any channel, ever, unless the person requesting has my TOTP code or a passkey." And frankly I want that for pretty much every account everywhere. But no, we have to leave the social engineering door wide open. And now, put a gullible robot in that doorway. Great.

parable 1 day ago|

You're lucky you weren't affected by this. Several people I know with three-letter usernames had theirs stolen over the last few days.

When I recovered my account that had been stolen through this exploit (luckily, my username hadn't been changed), I was sent a code to my email address and then asked to use my TOTP code, backup code, or a video selfie. I used my TOTP code and was let in just fine. They certainly have the ability to make such a feature. Keep in mind, however, that several unpatched TFA bypasses exist for Instagram currently. People offer it as a service for around $1,000 on Telegram. Where there's a TOTP code input, there's a way to bypass it.

xp84 20 hours ago||

Very interesting. I found it odd that when I happened to open IG yesterday, I was prompted to log in, and my password didn't work. I asked it to send me a link to my email and got in that way, and didn't have time to look into it further.

So I went to check it again just now after reading your comment, and I was immediately as soon as I opened the app, prompted to create a new password, which I did.

very very sketchy things going on here. But I'm glad that they didn't fully allow my account to be stolen :/

jerieljan 15 hours ago||

why do I feel like they basically added their AI support chatbot to the same group / mailing list that the human support belonged to along with the same permissions set and just called it a day?

I'll laugh even harder if they wrote tests for it and only made tests for the happy path and not the error cases or just ignored the latter.

varenc 1 day ago||

> The first proper zero auth password reset I've seen in production.

In 2011 Dropbox briefly had an even easier "zero auth exploit". For a couple hours if you typed in any email on the login page, password checking was skipped and you could login to any account. Albeit, you still couldn't reset the user password, just login.

https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...

californical 6 hours ago||

Remember this MacOS bug? Letting you login to any computer as a root user by typing "root" as the username with no password.

My IT department had a blast with that one, pure disbelief that it worked on all of our systems

https://arstechnica.com/information-technology/2017/11/macos...

parable 1 day ago||

What about Hotmail's "eh" flaw of 1999? I'd say a two-letter password is practically "zero auth".

zmmmmm 22 hours ago||

Curious how much this is AI related vs just generic stupidity?

ie: did they put guard rails in place but the AI bot creatively found out a way around them? or is it literally just, they mindlessly empowered it to do these things without even making it check.

At some level, it seems to me it shouldn't be technically possible to bypass the 2FA. Yeah the account becomes unrecoverable. But that's why they force you to download / print out those account recovery codes.

Ozzie_osman 1 day ago||

The ironic thing is I know several legitimate humans who have lost access to their accounts years/months ago, and have been dealing with support hell trying to get access back.

Maybe they should have hacked themselves.

parable 1 day ago|

I've said this before, too. Several people I know have used various tricks and exploits to fix problems that support teams supposedly couldn't fix.

callan101 1 day ago|

This is true for any service that Meta owns. I experienced something similar on my Meta (formerly Oculus) account. Meta support is very susceptible to social engineering and they have been for some time.

More comments...