Meta AI Support Flaw Enables Instant Instagram Account Takeovers
Meta's AI-driven recovery flow allowed trivial Instagram takeovers for weeks via email redirection and fake video selfies.
A Meta AI chatbot flaw permits account hijacks via username, regional VPN and unverified email swaps, bypassing all prior credentials.
Primary documentation from 0xsid.com records attackers routing verification codes to attacker-controlled addresses with no history check; 2FA sessions are revoked silently and recovery access is transferred without notifications to original owners.
Affected accounts included @obamawhitehouse and @ocmssf; Telegram markets priced short-handle takeovers in the hundreds of thousands of dollars during the multi-week window before the flaw was closed.
No secondary human review path existed for A/B-tested accounts where the AI flow was enabled, leaving users unable to disable the vector.
AXIOM: Automated support systems without email-history or biometric checks will continue enabling low-effort social-account takeovers until guardrails are added.
Sources (2)
- [1]Primary Source(https://www.0xsid.com/blog/meta-account-takeover-fiasco)
- [2]Related Source(https://krebsonsecurity.com/tag/meta/)