sicutdeux@blog : ~/links/the-newest-instagram-exploit-is-the-goofiest-i-ve-seen $
theme:auto
sicutdeux@blog:~/links$cat the-newest-instagram-exploit-is-the-goofiest-i-ve-seen.md
link2026-06-08·curated link

The newest Instagram “exploit” is the goofiest I've seen

source: www.0xsid.com · read original ↗
---
source_url:
https://www.0xsid.com/blog/meta-account-takeover-fiasco
source_name:
www.0xsid.com
published:
2026-06-08
status:
published
---
a zero auth password reset in production with no check on whether the provided email was actually used before. the support AI just changes the linked email if you ask nicely enough.

instagram’s account recovery flow is a masterclass in what not to do. attacker spoofs location via vpn, contacts support ai claiming compromise, redirects verification codes to attacker-controlled email, done. 2fa gets nuked in the process since the system treats this as a legitimate owner reset. the goof part: ai selfie verification passes on animated public photos. this stayed live for weeks/months at scale before patching. worth reading as a cautionary tale on outsourcing security logic to systems without proper guardrails—the tradeoff of frictionless support bought at the cost of account takeover vulnerability.