Meta AI support lets attackers swap Instagram recovery emails and bypass 2FA
A Hacker News thread and linked breakdown added fresh technical detail on how Meta's AI support flow let attackers bind new recovery emails to target Instagram accounts. The bug turned account recovery into an access-control failure where weak identity checks and location matching overrode 2FA.
TL;DR
- the main HN thread and Sid's breakdown describe an Instagram takeover flow where attackers asked Meta's AI support bot to attach a new recovery email to a target account, then used the normal password reset path to seize it.
- According to the linked writeup, attackers only needed a target username plus a VPN endpoint near the victim's location for the support flow to look legitimate enough to the bot.
- the HN source summary says the email rebinding bypassed standard checks, including 2FA, because the privileged action happened inside Meta's recovery workflow rather than through the victim's login session.
- the core HN summary frames the bug as an access control failure inside a high-trust AI recovery tool, while the discussion roundup shows commenters comparing it to older zero-auth reset bugs, not some exotic new prompt injection class.
Meta's own March launch post said the support assistant would handle password and profile-setting issues 24/7. You can read Sid's full exploit walkthrough, Meta's fix acknowledgment via TechCrunch's reporting, and the original HN thread that turned the incident into an auth design postmortem.
Email swap flow
The Newest Instagram "Exploit" is the Goofiest I've Seen: A Breakdown of the Meta AI Takeover Fiasco
A critical security flaw in Meta's AI support chatbot allowed attackers to take over Instagram accounts by simply requesting an email change for a target username. By using a VPN to mimic the victim's location, attackers could prompt the AI—which lacked robust identity verification—to bind an attacker-controlled email to the target account. This process bypassed standard security, including 2FA, allowing the attacker to trigger a password reset and gain full ownership. The vulnerability, which resulted in the compromise of various high-profile and "OG" (short-handle) accounts, was patched by Meta in early June 2026. Experts emphasize that the incident represents a failure in access control rather than a sophisticated prompt injection, highlighting the dangers of integrating autonomous AI agents into sensitive account-recovery workflows.
Sid's writeup breaks the flow into three steps:
- Put the attacker on a VPN or proxy near the victim's apparent location.
- Start the normal account recovery path with only the target username.
- Ask the AI support assistant to bind an attacker-controlled email, then trigger a password reset to that new address.
The ugly detail is that the bot appears to have had enough backend authority to make the recovery email change stick. Once that happened, the rest of the takeover used Instagram's legitimate recovery machinery, not a stolen session or intercepted 2FA code.
Access control failure
The newest Instagram “exploit” is the goofiest I've seen
This is a cautionary example of letting an AI agent participate in privileged recovery flows. The engineering takeaway is that model-facing support tooling needs hard identity-verification gates, least privilege, and non-bypassable controls for account ownership changes; otherwise the AI becomes a high-trust interface into the authentication stack.
The best framing came from the HN discussion roundup, where one commenter called it a "zero auth password reset" and compared it to an old Dropbox bug in the same family. That matches SecurityWeek's reporting, which described the flaw as a confused deputy problem: the AI assistant had permission to perform sensitive recovery actions, but weak identity checks let attackers borrow that authority.
That distinction matters because it narrows the failure surface. The model did not need to be jailbroken into arbitrary behavior. It only needed to follow a broken recovery policy.
Patch timeline
Fresh discussion on The newest Instagram “exploit” is the goofiest I've seen
Today's new discussion stays on the same theme but adds two concrete comparisons. One commenter calls it the first “zero auth password reset” they’ve seen in production and compares it to an old Dropbox bug where any email could be used to log in briefly, reinforcing the idea that this class of failure is a classic auth design problem rather than an AI novelty. Another fresh comment adds a broader Meta-specific anecdote about a Facebook account being stolen, the attacker locking recovery out with PGP, and support taking months to help, arguing that Meta’s incentives and support posture make these failures predictable. It doesn’t change the technical diagnosis, but it does widen the discussion from one chatbot flaw to a pattern of weak recovery and indifferent remediation.
TechCrunch reported that Meta spokesperson Andy Stone said "the issue that did happen has already been fixed," and that Meta secured affected accounts on Monday before sending password reset emails. The same report said the takeover campaign appeared to continue briefly even after Meta said the bug was resolved.
Discussion around The newest Instagram “exploit” is the goofiest I've seen
Thread discussion highlights: - varenc on zero-auth password reset analogy: "The first proper zero auth password reset I've seen in production." ... Dropbox briefly had an even easier "zero auth exploit" - conradev on Meta account takeover anecdote: "My girlfriend's Facebook got stolen via a novel technique..." ... "It took many, many months to get the account back"
The tail of the HN thread widened from this one chatbot bug to Meta's recovery posture more broadly. One cited comment described a separate Facebook account theft that took months to unwind, which is anecdotal but useful context for why an AI support bot with direct recovery powers set people off so fast.