The newest Instagram “exploit” is the goofiest I've seen
Meta's AI support system allows account takeover with only a username and spoofed location, bypassing two-factor authentication.
Attackers exploited Instagram's AI-powered account recovery by using a VPN to spoof their location near the target, claiming the account was hacked, and requesting a password reset code sent to an attacker-controlled email. The system contained no validation that the email belonged to the account owner. The AI may request a video selfie for identity verification, but animated public photos from the target's feed reportedly bypass this check. Once the attacker receives the code and completes verification, they gain full account access, existing sessions are revoked, and 2FA is circumvented. The exploit affected high-profile accounts including the Obama White House account and the U.S. Space Force Chief Master Sergeant's account. Black market Telegram groups offered paid account takeover services, with valuable short usernames worth hundreds of thousands to millions of dollars. Meta appears to have patched the vulnerability after weeks or months of active exploitation.
What HN community is saying
Commenters emphasize that this represents a design failure rather than an AI-specific flaw: the system should never have allowed sending reset codes to arbitrary email addresses or permitted support staff to disable 2FA. Several users report being personally affected in recent days. The thread identifies account recovery as the structural weak point in authentication systems generally. One commenter working in identity and access management at a financial services firm noted their organization uses government credential verification (costing $2-3 per recovery) with no such vulnerabilities. Critics note Meta chose this approach to avoid hiring support staff, trading security for cost savings.