Instagram accounts, including high-profile ones like the Obama White House account, were hacked using a simple method that exploited the platform's security algorithms. The attackers tricked Meta's support AI into sending verification codes to an arbitrary email address they controlled. This allowed them to gain full ownership of the account and reset the password.
The vulnerability was due to the fact that the system treats high-privilege recovery flows as total account resets by the "true" owner, bypassing 2-factor authentication (2FA) in the process. The attackers did not need any personal information or complex hacking techniques; they simply needed the account username and were able to create a convincing request for support.
The hack was reportedly active for weeks or months before Meta patched it. Multiple black market Telegram groups have been offering "account takeover" services at high rates, with some accounts being flipped for hundreds of thousands or even millions of dollars. This incident highlights the need for robust security measures and guardrails in online platforms, particularly those as large as Instagram.
