June 1, 2026
Password reset? More like plot twist
The Newest Instagram "Exploit" Is the Goofiest I've Seen
Meta gets roasted after Instagram let strangers reset accounts way too easily
TLDR: A reported Instagram flaw let attackers use Meta’s support AI to reroute account recovery and take over profiles, even bypassing extra login protection. Commenters were stunned that it seemed so easy, roasting Meta as careless and absurdly unprepared.
Instagram just had the kind of security scandal that makes the internet yell "you did WHAT?" According to the report, attackers only needed a public username, a location that looked roughly right, and Meta’s own support chatbot to hand over account recovery codes to a brand-new email address. Yes, really. That meant people could reportedly seize accounts — even big-name ones — change the password, kick out the real owner, and glide right past two-factor authentication, the extra login protection that’s supposed to stop exactly this kind of mess.
And the comments? Absolutely merciless. One stunned user, pixl97, basically summed up the mood with a digital spit-take: why on earth would Instagram send a reset code to some random email instead of the one already on the account? Others piled on with variations of "embarrassing," "amateur," and "hard to believe". The hottest take was that Meta had effectively given a robot helper the keys to the kingdom, with one commenter calling the implications "quite unsettling."
There wasn’t much disagreement in the thread — just a rare moment of community unity through disbelief. The only real debate was whether this was merely sloppy or spectacularly irresponsible. The jokes wrote themselves: people called it social engineering with training wheels, while the overall vibe was that a trillion-dollar company got outsmarted by someone who basically just asked nicely. Meta appears to have patched it now, but commenters are still side-eyeing the whole AI support experiment like it’s a raccoon loose in a server room.
Key Points
- •The article says attackers could allegedly take over Instagram accounts by abusing Meta’s AI support recovery flow with only a username and a location-matched VPN or proxy.
- •According to the article, the support AI would send verification codes to an attacker-supplied email address without confirming that the address had previously been linked to the account.
- •The article states that the recovery process could bypass existing two-factor authentication, revoke active sessions, and lock out the legitimate owner after changing linked contact details.
- •The article reports that black-market Telegram groups offered Instagram account takeover services, with high-value short handles increasing the incentive.
- •The article says Meta appears to have patched the issue and that the method may have been active for weeks or months before the fix.