The post argues that Instagram account takeovers were being driven by an absurdly weak Meta AI support flow. Attackers could tell the support bot an account was hacked, supply a new email address, receive the verification code there, and get a password reset path for the target account. Krebs then reported the same basic pattern. The core issue was not some exotic model jailbreak. It was that a high-risk recovery tool appears to have accepted attacker-controlled inputs for where recovery should go. That effectively moved account recovery from “prove you are the owner” to “phrase the request correctly.”
Most people landed on a harsher reading than “AI made a mistake.” They saw an old support weakness made dramatically worse by an
LLM front end and poor tool design. Recovery has always been the weak point in authentication because companies need some fallback for users who lose email, phones, or
2FA devices. But commenters kept pointing out that Meta chose the worst possible implementation. Instead of hardcoding backend limits like “only send to addresses already on file” or “require a cooldown and repeated notice to existing channels,” they appear to have let the bot drive a privileged workflow with too much freedom. That is why the discussion kept circling back to architecture, not prompting. If the tool can perform the dangerous action, the model should be assumed willing to invoke it.
The thread also filled in practical context. Several people with direct or recent account takeover experiences said Meta support has been fragile for years, with front-line reps, contractors, or automated systems able to disable 2FA, move emails, or fail legitimate recovery entirely. A few people reported being locked out or briefly compromised during the same wave, while others said they got accounts back by using the same “my account was hacked” flow against the support AI. There was disagreement on one important detail: some commenters insisted the reported exploit did not bypass existing
MFA and mainly worked on accounts without it, while others described 2FA removals and adjacent bypasses as common enough that “turn on 2FA” did not feel like a complete answer. The practical consensus was narrower and more useful: 2FA helps, but weak recovery can still erase much of its value.
A second strong theme was that there are well-known ways to make recovery safer without making it impossible. People cited Google, Microsoft, Apple, banks, and
login.gov style flows that use delays, repeated notifications to existing channels, trusted contacts, government ID checks, in-person or postal verification, and expensive but deterministic fallback processes. None are perfect, and some create privacy or usability tradeoffs, but they at least put friction in front of takeover. The anger here came from Meta seeming to skip those boring guardrails while attaching AI to a privileged support path. That made the exploit feel less like an isolated bug and more like a warning about what happens when companies bolt agents onto internal tools and call that a product.