The Newest Instagram "Exploit" Is the Goofiest I've Seen

Yesterday, a slew of Instagram accounts, including some high profile ones like the Obama White House account, seemingly got hacked. I ve seen my share of exploits and takeover techniques, but this is the most unserious, "almost too stupid to be true" of them all.

Step 01: Faking the Location & Initiating Support All the attacker needs to kick this off is your account username. Then, they hop on a VPN or proxy close to your city so Instagram s security algorithms don t suspect a thing. (You can quite easily get this from your public profile or "About" section or a hundred other ways.) Once it looks like the request is coming from the correct region, they tell the Meta support AI that the account is hacked and ask it to send the verification codes to an arbitrary email address they control.

Step 02: That s ItReally, that s it. The first proper zero auth password reset I ve seen in production. There appears to be no additional check as to whether the email being given is actually something the user has used before. Once the AI sends the security code to the attacker s email, the attacker passes it right back to complete the verification. The platform hands over a fresh password reset link, granting full ownership to the attacker.