Affiliate links on Android Authority may earn us a commission. Learn more.
Instagram accounts continue to be hacked as hackers claim Meta only removed a UI button
- Attackers are using text prompts in Meta AI to change associated email addresses and hijack Instagram accounts, bypassing two-factor authentication.
- While Meta claims the issue is resolved, users report they are still being hacked.
- Some developers claim the company only removed the frontend “Get Support” button, leaving API endpoints vulnerable.
- The security lapse follows Meta’s massive corporate layoffs and reassignments to AI initiatives, which reportedly shrank Instagram’s Trust and Safety division by 60%.
Meta’s overreliance on its Meta AI support chatbot (and its recent AI-centric layoffs) is coming back to bite it. Hackers hijacked several high-profile Instagram profiles by sending simple text prompts to Meta AI that changed the target profile’s associated email address. Meta’s Vice President of Communications, Mr. Andy Stone, stated that the “issue has been resolved and we are securing impacted accounts.” However, it seems the issue hasn’t been resolved, as Instagram accounts continue to be hijacked, with some users claiming Meta has only removed frontend access to the hack while leaving the backend intact!
Notable reverse engineer and code sleuth Jane Manchun Wong claims that one of their secondary accounts with a four-letter username was hacked, despite having two-factor authentication enabled.
Wong’s primary Instagram account password was once again changed without their knowledge.
Both incidents occurred after Meta claimed the issue was fixed.
Don’t want to miss the best from Android Authority?
- Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
- You can also set us as a preferred source in Google Search by clicking the button below.
Under Wong’s posts, so many commenters corroborate that the issue is still ongoing. Notably, even Esther Crawford (formerly Director of Product Management at Twitter/X and currently Director of Product Management at Meta) claims that their five-letter Instagram handle was hacked.
Meta’s Andy Stone subsequently mentioned (in response to another post) that the company had “already secured impacted accounts,” and that some people may receive password reset notifications, while others may be asked security questions when they try to log in.
However, users of the Bugify Vault Telegram channel claim that Meta’s “fix” for the issue was simply removing the “Get Support” button from the frontend UI. This prevents users from easily accessing the hack but doesn’t actually fix the vulnerability, since the API endpoints for Meta AI allegedly remain accessible.
Skilled users have seemingly moved on to tools like Telegram bots and other scripts to talk to Meta AI and gain access to Instagram accounts!
What’s the motive, you ask? Instagram accounts with large followings are easy targets for their audience reach, whereas accounts with unique usernames are having those usernames stolen (“sniped”) and sold later to others who are willing to pay for a vanity username. Given how easy the hack allegedly remains, the incentives are high enough to justify the efforts.
Meta recently laid off over 8,000 employees across the company and reassigned another 7,000 employees to new AI initiatives as part of its AI push, according to a New York Times report. Unconfirmed reports suggest that Instagram’s Trust and Safety division has been reduced by 60% thanks to these layoffs and forced reassignments.
We’ve reached out to Meta to learn whether the hack is still active, the steps it has taken to fix the Meta AI vulnerability that allows Instagram accounts to be hacked, and what new guardrails the company has put in place. We’ll update this article when we learn more. Until the vulnerability is properly fixed, there’s no real way to safeguard your Instagram account, even with two-factor authentication enabled.
Thank you for being part of our community. Read our Comment Policy before posting.