The newest Instagram “exploit” is the goofiest I've seen

Posted by ssiddharth 1 day ago

The newest Instagram “exploit” is the goofiest I've seen(www.0xsid.com)

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-su...

2134 points | 474 commentspage 9

jsrozner 1 day ago|

META should pay a 20B fine for this one.

ncr100 1 day ago|

It SHOULD be a political issue in the upcoming elections, since it gave access into a political account TO "the bad guys"...could be one of USA's enemies.

croes 1 day ago||

Link 1 says

> In case you're wondering, because the system treats this high-privilege recovery flow as a total account reset by the "true" owner, the original 2FA gets thoroughly bypassed in the process.

But link 2 says

> The hackers who released the video on Telegram said their exploit failed to work against any accounts that had MFA enabled.

So which one is true?

parable 1 day ago|

The original 2FA did not get thoroughly bypassed, because otherwise I would've lost my username, so that's false - at least, based on my experience.

However, there are separate vulnerabilities that allow for 2FA to be bypassed on Instagram. I assume they were chained to take over specific high-value accounts. The 2FA removal happens as a service - most people charge around $1,000+ - so it wasn't viable for most lower-value accounts. Anything that was worth over $1k probably had the bypass applied to it.

lucasRW 17 hours ago||

Interesting, especially as i've seen first-hand how my wife was unable to recover her Instagram account, after countless forms, verification codes, verification emails, etc, etc, etc, to the point that she just gave up on recovering her hacked account.

Marazan 18 hours ago||

Someone connected the spicy autocomplete to the "Do Things" button again.

jeffbee 1 day ago||

My account, with a 3-letter username worth $$$, got hacked yesterday morning probably by this flow, but I did manage to defend it. I think by far the biggest problem with Instagram/FB/Meta auth flow is that 2FA does nothing. You don't need the 2nd factor to disable it, so attackers can just turn it off. Really stupid!

Also, I discovered that many of IG's auth endpoints are just broken. For example you can't change password on web because of CORS, which isn't a transient outage but just a flat out bug.

Edited to add: This is just the cherry on top of years of stupid auth flow at IG. I have received tens of thousands of reset links or codes from IG over the years. There used to be a way to put your account on recovery cooldown for a few weeks but they got rid of even that.

bob_theslob646 1 day ago||

>In this case, even using the least robust form of MFA that Instagram offers — a one-time code sent via SMS — likely would have blocked the exploit: The hackers who released the video on Telegram said their exploit failed to work against any accounts that had MFA enabled.

Why would they not have this set up?

lnxg33k1 1 day ago||

It could easily be that AI is a foreign hostile operation to make everything insecure

IAmGraydon 1 day ago||

This is not a serious company run by serious people if this kind of lapse is happening.

jlarocco 1 day ago||

If an AI focused tech company like Facebook can't use AI properly, I can only imagine the shit show we're going to witness as more companies start rolling it out.

igleria 16 hours ago|

Is anyone at META going to do anything about anything at this point?

More comments...