TL;DR
Hackers exploited a basic flaw in Instagram’s support system to take over high-profile accounts, including the Obama White House account. The method involves minimal checks, making it alarmingly easy. Meta appears to have patched the flaw, but questions remain about systemic security gaps.
Instagram accounts, including high-profile ones like the Obama White House account, were reportedly hijacked using a surprisingly simple support process that bypasses two-factor authentication, highlighting a significant security flaw.
The exploit involves attackers submitting a fake location via VPN to Instagram’s support AI, claiming the account has been hacked. They then request a password reset, which the AI processes without rigorous verification, sending reset codes to an attacker-controlled email. This process does not require the attacker to provide proof of identity beyond a basic video selfie, which can be spoofed with simple images or animations.
Once the attacker receives the reset code, they complete the process, gaining full control of the account. The method effectively bypasses two-factor authentication because the system treats this recovery as a complete account reset, revoking existing sessions and changing the email and phone numbers linked to the account. The attack has been active for weeks or months before detection, with multiple black market services offering such account hijacking.
Why It Matters
This vulnerability exposes a major weakness in Instagram’s account recovery system, allowing malicious actors to hijack high-profile accounts easily. It raises concerns about the security of user data and the potential for misuse, including spreading propaganda or stealing valuable handles. The ease of exploitation suggests that even advanced accounts are vulnerable, emphasizing the need for more robust security measures.
Yubico – Security Key C NFC – Basic Compatibility – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified
POWERFUL SECURITY KEY: The Security Key C NFC is the essential physical passkey for protecting your digital life…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Recent weeks have seen a surge in account hijacking reports on Instagram, with attackers leveraging minimal verification steps. The flaw was exploited by various groups, including those targeting prominent accounts like government and military figures. Meta has reportedly patched the vulnerability, but the incident underscores ongoing security challenges in social media platforms’ support systems.
“The support AI just changes the email linked to the account if you ask it nicely enough. It’s so simple it’s almost funny.”
— Hacker on Hacker News
“The attack relies on minimal checks, making it alarmingly easy for anyone with basic technical knowledge to hijack accounts.”
— Security researcher
Online Seller Account Safety Workbook: A Practical Seller Organizer for Store Access, Payout References, Inventory Tools, Scam Awareness, and Account Recovery Readiness
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear how widespread the exploit remains after Instagram’s patch, or whether additional vulnerabilities exist in other parts of the platform’s security infrastructure. The full extent of compromised accounts and potential ongoing risks are still being assessed.
identity verification webcam
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Meta is expected to review and strengthen its account recovery protocols further. Users are advised to monitor their accounts for suspicious activity and consider additional security measures. Future updates may include more rigorous identity verification processes to prevent similar exploits.
IPVanish: Fast & Secure VPN
High-speed access to over 3,200 VPN servers in 150+ locations
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How did attackers hijack Instagram accounts so easily?
They exploited a flaw in Instagram’s support AI, which accepted basic requests to change account emails and reset passwords without thorough verification, allowing hijacking with minimal proof.
Has Instagram fixed the vulnerability?
Yes, reports indicate that Meta has patched the flaw, but the details of the fix and whether other vulnerabilities remain are still unclear.
Are my Instagram accounts safe now?
While the recent vulnerability appears to be addressed, users should enable additional security features like two-factor authentication and monitor account activity for suspicious changes.
Could this exploit be used for malicious purposes like spreading misinformation?
Yes, hijacked accounts can be used to spread propaganda, misinformation, or conduct scams, making this a significant security concern.
What should users do if they suspect their account was hijacked?
Immediately attempt to recover the account via official support channels, change passwords, and enable two-factor authentication. Report any suspicious activity to Instagram.
Source: Hacker News
