The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2115 points | 472 commentspage 5

Illniyar 1 day ago|

Based on what we know, it seems like Meta has given AI access to a service with guardrails built for human agents, while it should have built guardrails appropriate for the current state of AI.

Since everyone should already know by now that you can't strap on an AI on an existing system without a lot of guardrails this feels like a very high level of incompetence.

No one should be putting AI on top of any production system without having a default deny policy on actions and slowly adding new capabilities with proper guardrails.

tantalor 1 day ago||

They're just one tiny step from the AI emailing itself all the account recovery links, and locking out the entire userbase.

It might even do that preemptively if it thinks they're going to shut it down.

hedayet 16 hours ago||

Meta has showed time and again, that they're not serious about anything including and not limited to customer privacy, security, and support.

If you still use Meta products in 2026, you kinda deserve it.

vachina 22 hours ago||

I’ve got one cool story to tell. One of my Facebook alt credentials is somehow “merged” with another alt that I used to use, that is, I can use the email of one account to login to another account. The merge seems to be persistent.

Meta somehow determined the two accounts are the same person.

sunnybeetroot 20 hours ago|

This is normal. If you have one Instagram account, you can create another with the existing accounts email.

semiquaver 1 day ago||

From context, it seems there was an API that was internal for support use but was supposed to be gated by some required process of convincing the support agent you were who you said you were (also vulnerable to social engineering) but they didn’t really evaluate whether tools intended for conscientious human use should be provided directly to the LLM that replaced the former support agents.

coldcode 1 day ago||

Nothing says you are an advanced stupid company than using AI to implement the stupid. This is security I doubt even a college student would implement. Does Meta have a CSO? The correct answer is they don't, even though some body might occupy the title.

Of course it's always possible that they simply don't care who has your account, as long as they get money.

ttctciyf 11 hours ago||

I mean the implications and ramifications are fascinating, but .. I just need to take a few moments to absorb the sheer spectacular stupendous glorious DUMBNESS of a multibillion dollar corp with its generously paid staff utilising $multibillion SOTA tech to ignore any reasonable security checks and give prized accounts away for nothing to random hackers. It is difficult to comprehend in its enormity.

A breach which surely will go down in computer history as one of the most egregious and avoidable corporate IT failures of all time.

Glyptodon 1 day ago||

What's funny about this to me is that I tried to sign up for insta once and could never get past their automated ID check that would fire after signup despite using a real ID. (So never did sign up. I suspect maybe they just really don't want you using web on mobile devices but ymmv.)

ArmadilloGang 1 day ago|

On mobile, Meta absolutely doesn’t want you to use web. I created my Facebook account in 2004, deleted it in 2018 (Cambridge Analytica scandal), and later created a fake one just to use FB marketplace to sell things.

I will never install the Facebook app on my phone, so I use a browser instead. The experience is almost unusable. I can’t rate people. I’m not even sure if I can send messages. I can’t list things. The UI appears to support features that don’t work in practice.

No biggy because I just use a Firefox container and use my laptop instead, where the web version actually does work.

Marsymars 23 hours ago||

How you do you use fb marketplace without installing the messenger app?

I've tried that, but fb has stopped sending email notification of messages, so without the messenger app installed for notifications, I'll invariably fail to check messages on any kind of timely basis.

umarcyber 1 day ago||

I'm sitting here wondering why the Chief Master Sergeant of the U.S. Space Force has an Instagram account to begin with. I understand it's the office itself, but still don't see the reason to expand the attack surface of government offices. X makes sense, Instagram, I'm not so sure as much

ventana 1 day ago||

I see no difference between X and Instagram in this regard whatsoever.

Think NASA, for example; it's also a government agency, and they are doing great job posting photos in Instagram, do you think anything is wrong with it?

asdff 1 day ago||

It is just bizzare when you take a step back and remember the world 20 years ago. NASA would just post directly to their own website. Of course they would. Now imagine you go back in time 20 years ago and say "What if we took all these images you are providing for the public on their dime, compressed the hell out of them, and served them in this for profit proprietary marketing/propaganda app instead?" Engineers in 2006 would have probably looked at you like you had three heads. The question would make no sense back then.

Something to think about when we consider what is "normal" today. Not much really is normal. We've been beaten to think it is.

ventana 1 day ago|||

I feel that this is somewhat orthogonal. Yes, some questionable things have happened that made the ways how people exchange information be controlled by a handful of corporations.* But for NASA specifically, this is not relevant. They were not the ones who forced people to go to social networks; they needed to go there because this is where their audience was.

* On that note, and for the sake of the argument, I would say that the years of free uncontrolled information exchange in the Internet can probably be considered an exception. Information exchange was always controlled by governments and businesses (e.g. TV and newspapers) before, just as it is now. The fact that you or I don't like it does not change that this is how it used to be before the Internet appeared as a "free space". My generation was lucky to see how great the world with free information exchange could be, but I don't have much hope that it would stay like that for long.

Marsymars 23 hours ago|||

I'll note that for most purposes the canonical NASA image repository is on Flickr, and it seems like NASA pays to have it ad-free for viewers.

toast0 1 day ago|||

Outreach, I'd guess? You've got to do outreach where the people are. X and Instagram have pretty different audiences, but they're both large, so if you're on one you probably should be on both.

mikey_p 1 day ago|||

Why does X make sense? It makes no sense at all to me. X is the least logical place to put it.

lordgrenville 10 hours ago||

It's not really an attack surface though. Reminds me of https://xkcd.com/932/

freediddy 1 day ago|

How did Meta security sign off on this "feature"? That is the biggest shock in my opinion.

More comments...