The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2129 points | 473 commentspage 8

WhyIsItAlwaysHN 1 day ago|

"Social engineering is all you need"

hangonhn 1 day ago|

More like "Prompt engineering" ?

zorrn 1 day ago||

Can we really name this "Prompt engineering"? The prompt is so simple this is hardly any work even less than this comment

hangonhn 1 day ago||

Fair point but it's not social either. It's a new class of exploit that's based on tricking the AI.

Minor49er 1 day ago||

It's not based on plugging an LLM into an area where it doesn't belong in the first place?

y15a 23 hours ago||

Not totally sure if this is an AI-specific vulnerability. I find AI to be more prudent in its actions than an average person.

theideaofcoffee 1 day ago||

What is even the point of having 2FA if it can be so trivially bypassed? Isn't that the whole point that it's sort of a last line of defense? Oftentimes, you can't change simple account settings without having to re-auth and then punch in your code again. Why would something as critical as a suspicious password reset be able to jump ahead of that? Mind boggling. But, I guess that's what happens when you lay off 10% of your people at a time.

sleepybrett 1 day ago||

The only thing worse than a naive customer support rep is an even more naive customer support ai.

eukara 1 day ago||

who would've thought that the 'worst case scenario' we predicted keeps happening with this tool they recklessly shove into everything

SCdF 1 day ago||

Jesus fucking Christ. On a bicycle.

LLMs should be treated as untrusted. At all times.

The mind boggles at the attitudes that seem to have have led to LLMs being an excuse to throw any of the "science" in computer science we've managed to get into production out the window and go elbow deep into treating computers like mystical alchemy.

The next decade is going to be a bumpy ride.

aryan14 22 hours ago||

> “In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.“

This is false.

Important to note this did not work if your account had 2FA of any kind

e.g if you had a time based authenticator enabled, after the AI gave you the code to reset the password, it had no notable privileges beyond that

Tldr; if you had 2FA this wouldn’t work on you

palmotea 21 hours ago|

> Important to note this did not work if your account had 2FA of any kind

What about what the op said?

> 2FA Doesn't Help

> In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.

> Existing sessions are revoked and the password changed with no email, text, or push notification. The actual owner can't initiate recovery because the email and phone numbers now map to the attacker. There's no human to escalate to, it's just you arguing with a chat hoping to take control back while praying they don't do it again.

> And if you're part of the A/B tested accounts on which the AI support option is active, tough luck, you can't even turn it off.

aryan14 21 hours ago||

It’s just incorrect

It’s true that existing sessions are revoked; because the password was reset

The reason the target wouldn’t get any notifications at all would be in the case they never setup any additional verification methods to receive these notifications to, since this only worked on accounts w/o 2FA

You can test this on your own account, if you have 2FA enabled and reset your password, you’ll receive notifications to whatever option you have enabled

Also, if you reset the password, it doesn’t remove all 2FA methods on the account (you can test this)

So assuming a threat actor reset the password, they would attempt to login with the correct password but would still need the 2FA code or approval

gowld 10 hours ago||

An AI told them they could have someone else's account?

My AI told me that you all can have Zuck's yacht. Enjoy!

Hugsbox 1 day ago||

Jeez, straight up amateur shit. Genuinely hard to believe.

maheenaslam 20 hours ago|

Bro a VPN and please was all it took to own someone's Instagram? I've seen more security on a middle schooler's diary.

More comments...