InfoSecBulletin Cybersecurity for mankind
Many Instagram users lost access to their accounts because attackers tricked Meta’s AI support tools into thinking they were the real owners. Many users can’t get back in because the platform only uses AI or chatbots for help, without any human support.
On Monday, many people with valuable accounts said they suddenly couldn’t get into their accounts. They claimed their identities were checked using facial scans and they had set up safety measures like two-factor authentication (2FA).
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Among the impacted accounts were one previously used by the Obama White House team, one belonging to app researcher Jane Manchun Wong, @hey, and @korn.
The owner of the @korn account, who noted that the band never officially claimed the account and is using another one, expressed frustration with Meta’s recovery mechanism, which had put them in a time-wasting loop.
“I spent 6 hours trying to get human support, and Meta’s support AI gave me 4 broken links in a row,” explained the user identifying as Kornel.
“We’re at the point where one AI stole it, and another can’t fix it, zero humans in the loop anywhere,” the @korn account owner said.
Some reporters say the account-hijacking attacks were not serious. The attackers chatted with Meta’s AI assistant, made it believe they were the real account owner, and fooled it into changing the email linked to the account.
The takeover begins when the hacker uses the “forgot password” option because the account is hacked. When Instagram’s AI asks the user for a selfie to verify, the hacker takes a photo from the person’s account, changes it into a video with AI, and sends it to Meta for proof.
User André says that “Meta’s AI just accepts it because it can’t tell the difference between a real selfie and an AI-generated video of someone’s face.” They also added that the takeover method bypasses 2FA protections.
“Then you try to recover your account, and you’re talking to a chatbot that has zero ability to help. You can’t escalate to a human. You’re just stuck. Your asset is gone, and there’s no one to call,” André said.
Mitigation for Users:
Meta says the certain problem is fixed, but stealing accounts is still a risk. Important steps to strengthen the account:
Switch from SMS-based 2FA to an authenticator app (Google Authenticator, Authy) or a hardware security key to eliminate SIM-swap exposure.
Use a private, unlisted email not publicly associated with your name, website, or LinkedIn profile.
Generate fresh backup recovery codes under Security Settings and store them offline in a password manager or in a physical format not in email drafts.
Audit active sessions via Settings & Privacy → Accounts Center → Password and Security → Where You’re Logged In, and terminate any unrecognized sessions.
Never click links in unexpected password reset emails from Instagram; navigate directly to the app to verify your linked contact information.
