The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2127 points | 473 commentspage 7

gyoridavid 12 hours ago|

Maybe they vibe-coded the support agent?

wdr1 20 hours ago||

If Kevin Mitnick were still with us, I feel like he would be proud of these guys.

rglover 1 day ago||

This is bad but the bigger question I have is: given this was allowed to ship, what other exploits exist like this across their portfolio?

jpatel3 1 day ago||

2fa reduces the come back count, so they are liberal with some of the ways people can get in the app.

mtoner23 1 day ago||

wow thats extremely embarassing for meta

bayarearefugee 1 day ago||

Just another day for Meta in terms of embarrassing outcomes, and yet the company makes hundreds of billions of dollars per year because the only thing that matters anymore is shoving increasingly scammy and worthless ads in front of as many eyeballs as possible, even when the people with those eyeballs can less and less afford to buy anything non-essential.

mikey_p 1 day ago|||

I know this is Hacker News and supposed to be serious and all, but do you really think the people running Meta are capable of embarrassment at this point?

jolt42 1 day ago|||

I suppose you could chalk this up to an oversight. I don't see how Meta gained from this. They've been purposeful about collecting user data and lying about it, eg: 2025 Android Tracking Incident. Shouldn't just be an embarrassment, should be much worse than that.

petesergeant 1 day ago||

Who specifically do you think is embarrassed there? They’ve got all the cards, they don’t care.

calin2k 1 day ago||

today I received multiple whatsapp messages from an account called instagram with links to reset my password. I never did request a password reset. I have no Idea if the whatsapp account called instagram was/is instagram, and how to verify.

parable 1 day ago|

Likely a bot spamming the reset endpoint to fetch your recovery method hints. Happens all the time. I'd ignore and just sign into your account via the app or website to make sure everything's fine. WhatsApp is indeed used to send reset codes to accounts if the phone number on file is registered to WhatsApp, but I'm unsure as to how that integration actually works, as I don't use WhatsApp.

petterroea 18 hours ago||

This is a somewhat unpopular opinion but I find it depressing that this is what the so-called elite FAANG engineers are able to come up with.

Or maybe even more sad, this is what a FAANG product manager is able to pass through layers of "are you mad"

binyu 23 hours ago||

> "exploit"

More like social engineering meets AI and stupidity

datagreed 1 day ago||

Worked only on US accounts i guess. In EU its impossible to reach Meta support agent

MoonWalk 1 day ago|

Disgraceful. Instragram's "security" has been trash for years.

More comments...