TL;DR
Hackers exploited a flaw in Instagram’s support system to take over high-profile accounts with minimal effort. The attack bypassed 2FA and relied on AI support to reset accounts. Meta appears to have patched the vulnerability, but the incident highlights security weaknesses.
Instagram accounts, including high-profile ones like the Obama White House account, were hacked using a simple support request exploit, bypassing 2FA and security measures. The incident highlights a significant vulnerability in Meta’s account recovery process that has now been addressed.
According to reports from Hacker News, attackers exploited a flaw in Instagram’s account recovery system by initiating support requests that appeared to originate from the correct region using VPNs. They then convinced Meta’s AI support system that the account was hacked, prompting it to send a verification code to an attacker-controlled email address. The attacker then used this code to reset the account password, gaining full control. This process bypassed 2FA and did not require additional identity verification such as video selfies, with some reports indicating AI support accepted simple or animated profile images as proof of identity.
The attack relied on a zero-authentication password reset flow, which appears to have been active for weeks or months before being patched by Meta. Several high-profile accounts, including those of government entities, were targeted. Telegram groups offering account takeover services emerged, with prices reaching hundreds of thousands of dollars for short handles or valuable accounts. Meta has since addressed the vulnerability, but the incident exposes significant flaws in the platform’s security protocols.
Why It Matters
This incident underscores critical security weaknesses in Instagram’s account recovery process, especially concerning support AI systems. The ease with which attackers bypassed 2FA and gained full account control raises concerns about the robustness of social media security measures. For users and organizations, it highlights the importance of vigilance and the potential risks of relying solely on automated support systems for account recovery.
Yubico – YubiKey 5C NFC – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified – Protect Your Online Accounts
- Security Type: Multi-Factor Authentication (MFA)
- Compatibility: Supports 1000+ Accounts
- Connection Options: USB-C and NFC
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Over the past year, social media platforms have faced increasing scrutiny over account security. Instagram, owned by Meta, has historically relied on multi-factor authentication and support systems to protect user accounts. However, recent exploits, including this one, reveal vulnerabilities in automated support workflows. The attack method described was active for weeks, indicating a significant oversight in security protocols. Meta has begun patching the flaw, but the incident adds to ongoing concerns about social media security and the potential for malicious actors to exploit automated support channels.
“This is the most unserious, ‘almost too stupid to be true’ exploit I’ve seen. All it takes is a support request, a VPN, and some AI support tricks.”
— Hacker News user
“We have addressed the security flaw and are committed to protecting user accounts.”
— Meta spokesperson (unnamed)
Mullvad VPN | 12 Months for 5 Devices | No-Log Security VPN Service | Protect Your Privacy
- 12-Month VPN Subscription: Use on 5 devices without renewal
- Enhanced Privacy Protection: No activity logs or personal data
- Device Compatibility: Supports Windows, Mac, Linux, iOS, Android
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear how many accounts were affected overall or if any data was compromised beyond account control. The full scope of the vulnerability’s impact remains undisclosed, and it is uncertain whether similar flaws exist in other support workflows across Meta’s platforms.
As an affiliate, we earn on qualifying purchases.
What’s Next
Meta is expected to monitor for similar exploits and improve its support AI security measures. Users are advised to review account recovery settings and enable additional security layers. Further updates on the incident’s scope and any additional patches are anticipated in the coming weeks.
two-factor authentication hardware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How did attackers bypass Instagram’s security measures?
They exploited a flaw in the support AI system that allowed them to request password resets by convincing the system their account was hacked, without needing traditional verification steps like 2FA or identity videos.
Were any high-profile accounts affected?
Yes, accounts including the Obama White House and the Chief Master Sergeant of the U.S. Space Force were reportedly targeted or compromised.
Has Meta fixed the vulnerability?
Yes, Meta has indicated that the security flaw has been patched, and the exploit is no longer active.
Could this happen again?
While the specific vulnerability has been addressed, the incident highlights potential weaknesses in automated support systems that could be exploited again if not properly secured.
Source: Hacker News
