The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2121 points | 472 commentspage 6

harikb 1 day ago|

Why isn't there a middle man service to do IRL verification.

Like - account is locked, you must use 2FA backup codes.

Else go to western union / 7-eleven / super-market, show ID proof, pay $10 for recovery service.

Wait 2 days (of someone not clicking on this-was-not-me)

If account is already hacked - pay $100 for expert support

fn-mote 1 day ago|

With a lot of care for the details, otherwise you just made account hijacking possible for $20.

Those 7-Eleven & Western Union jobs are very low wage in the US (if not worldwide?). Cheaper than paying an insider to do something for you.

Your assumption that the target is going to respond within two days is pretty fast. There’s a lot of details and they will all be attacked / exploited in any standard workflow.

dfee 1 day ago||

wtf. this prompted me to attempt to open the app on my phone, and then realize my account was likely compromised (i received a bunch of password reset prompts over the weekend and now my password doesn't work).

but, what now? how do i restore my account?

queenkjuul 1 day ago|

Tell the AI your email got hacked, here's a new one lol

dfee 1 day ago||

well, it seems to have transferred back to me (or at least i could login through another method). but, i can't reset the password right now ("Something went wrong, please try again"). though, it tells me that the password was last changed yesterday… hmm.

parable 1 day ago||

Your account might be rate limited from performing additional password resets. Try the hacked account flow by selecting "Can't reset your password" (or whatever the app says) when trying to do a password reset. That's how I was able to sign back in despite being unable to request additional reset codes.

Have you lost your username? Instagram should allow you to revert it once you're back in.

signal11 1 day ago||

Does this explain the numerous password reset messages I’ve received over the past year?

parable 1 day ago|

Those are just bots sending reset attempts to obtain your email or phone hint. I receive hundreds per year. All you need to send a password reset link is the account's username, which is, of course, publicly accessible.

8cvor6j844qw_d6 1 day ago||

Interesting article.

A few hours back, I was spammed with ig.me links insisting I click it to check it out.

I did not have the opportunity to visit the link, but it appears to be related to belong to some Instagram password reset flow.

parable 22 hours ago|

I suggest you try signing into your Instagram account via the app or website to check if you've been compromised. It could very well be a bot trying to obtain your recovery method hints but you could've also fallen victim to this exploit, especially if you have a short or valuable username.

CrzyLngPwd 1 day ago||

We're approaching the time where customers will present a "are you human" captcha to each other, starting with support bots, no doubt.

The stories of AI support fails are getting funnier and stupider.

ChuckMcM 1 day ago||

I fear that all the 'leet jobs in tech are gonna be QA. "Top dollar paid to person who can write a test suite that keeps our AI in check!"

skizm 1 day ago||

At a bare bare minimum accounts over a certain size of follower count should be excluded from this flow. They should basically have account managers anyway.

schainks 1 day ago||

The irony here is meta won’t verify my business nor will the meta AI helper do nefarious things by design but this exploit was just hanging out.

gyoridavid 11 hours ago|

Maybe they vibe-coded the support agent?

More comments...