Limitless Podcast - Hijacking Instagram: Behind The Massive AI Exploit
Episode Date: June 4, 2026A Meta AI account-recovery exploit let attackers trigger password reset links for Instagram and Facebook accounts through social engineering.With this backdrop, we explore security risks for ...AI systems, including prompt injection, and close with advice on stronger authentication and safer account practices.------🌌 LIMITLESS HQ ⬇️NEWSLETTER: https://limitlessft.substack.com/FOLLOW ON X: https://x.com/LimitlessFTSPOTIFY: https://open.spotify.com/show/5oV29YUL8AzzwXkxEXlRMQAPPLE: https://podcasts.apple.com/us/podcast/limitless-podcast/id1813210890RSS FEED: https://limitlessft.substack.com/------TIMESTAMPS0:00 Meta AI Hack2:35 How The Scam Worked5:11 Two-Factor Fails7:57 The Confused Deputy9:30 Meta’s Security Failure13:18 White House Response17:32 How To Protect Yourself22:14 Bigger AI Threats23:55 Closing Thoughts------RESOURCESJosh: https://x.com/JoshKaleEjaaz: https://x.com/cryptopunk7213------Not financial or tax advice. See our investment disclosures here:https://www.bankless.com/disclosures
Transcript
Discussion (0)
Now, let's say you want to steal a $200,000 Instagram handle.
The old way would be to send a fishing email or install malicious malware or maybe even buy a leaked password off a shady website on the dark web.
Well, yesterday, hackers discovered a new way, sweet-talking an AI assistant into handing over someone else's password.
Here's how it worked.
You open up a chat with Meta's AI assistant.
You tell it you're locked out of your account.
Maybe you sound a little bit panicked.
Maybe you tell them that you lost your phone.
And the AI trying to be helpful to you resets the password.
all for you, done, just hands over the keys to someone else's account.
Now, this resulted in accounts worth over $1 million, including the White House official account
getting stolen right in front of their eyes.
And the craziest part was this technically wasn't a security exploit.
Meta security systems worked as they were designed, but someone managed to convince an AI
and the AI trying to be helpful just handed over the keys.
What's crazy is, in the time it took you to say that intro, we watched on screen this video
of them actually doing the exploit and completing the exploit in what happened. So what actually
happened here? I guess the terms that we're going to use are going to be a little fuzzy because
this very much is an exploit. And although no code was hacked, there is a new threat vector that
we're going to explore, which is this AI support agent. So recently, Meta has been testing out,
this AI powered account recovery assistant on some Instagram accounts. And the assistant could actually
trigger password reset emails, which allowed you to recover an account in the case that you lost it.
The problem is that there's no hard authentication checkpoints and no rate limiting, meaning
you can continue to ping this thing over and over and over again.
So while attackers didn't exactly find a bug in the code, they used social engineering,
which is very popular.
It's basically convincing the person on the other side to give you something that you should
not have access to, and that's what they did.
So through a series of prompts, they were able to actually exploit the system, convince it
to send a password recovery email to an account that did not belong to them.
and they were able to acquire the most valuable handles on the platform.
Starting with Barack Obama's White House account was hacked.
It was totally compromised.
It was posting content that certainly should not have been there.
And more importantly, there's a lot of businesses and a lot of individuals who are really
affected by this.
Like if you're running a business on Instagram and that is the primary source of your income,
you may have just lost your account if it was a high value handle like one letter or like
the word hey or whatever.
there's just a series of Instagram handles that generally go for hundreds of thousands of dollars
that were stolen. And currently, people are trying to get them back. MET is saying they're solving it.
But before we get into all of the downstream effects, you want to walk us through exactly how
easy it is. Like, we can do this ourselves in like five minutes. I think it's no more than six
steps. It's really, this is a serious problem. Okay. So the craziest part about this for me was
how simple it is to pull off. And there are three ways that hackers were able to exploit this.
So I'm going to walk you through the one that you're watching on your screen right now.
So it starts with the attacker spoofing their location.
So they have an idea of the account that they want and they know where the account holder resides.
So they use a VPN and they target the user's specific region, so it pretending to be the user.
Then it starts the password reset.
So typically when you log in, there's like a reset your password function, right?
So he clicks that and he clicks the account is hacked.
So that triggers a flow which opens up Meta's AI assistant, which they are testing.
So you get connected to the support bot and you basically say, hey, I have a new email address.
This is my username and giving the username that they don't actually own.
Can you just send me a code to reset this account, please?
Sorry, I don't have my phone.
I've lost everything else.
And the AI trying to be helpful basically sends a verification code to the attacker's email,
which they've just spun up.
And presto, that's it.
You can reset the entire account, reset the entire password.
And the rightful owner wakes up the next day.
and they just don't have access to the account.
This is one of a couple of versions of this exploit.
So what people started to realize is after this first one went through,
that not only is this a specific exploit,
but this is an entirely new attack vector,
there is this bot that can be tricked into believing other things,
and it has basically God mode access to do anything that it wants.
So people were kind of pen testing this,
penetrate testing, see where they can access it from other ways,
and there is a second version of this exploit
that was shortly discovered after the first, because sometimes it didn't work so well.
Sometimes the AI bot requested some additional verification.
In this sense, it was a headshot or a short video of the target's face.
It wants to make sure that you are actually the person you say that you are,
so it's requesting proof of personhood.
Well, turns out, METIS AI agents aren't that great at recognizing real people
because people were able to generate AI-generated video of someone's face,
by taking a few screenshots, probably from the Instagram profile and turning into a video.
And once they submitted that to the servers, it sent a password link right to their email.
And now they own the account.
And it is just, oh, it's a serious problem.
So the answer to this, I mean, immediately as I'm hearing this, I'm thinking, oh, my God, well, I have two-factor
authentication.
Surely that's good.
Like, I have two-fa.
Surely that is okay.
In fact, the CEO of Epic Games, Tim Sweeney, said the same thing.
Surely 2FA should prevent this.
Well, it did for a hot second.
But then the follow-up answer is, no, it actually doesn't.
Because it turns out this attack vector extends even further past meta onto the Facebook platform as well.
In fact, on Facebook, you can actually convince the AI bot to go into developer mode,
that you are an actual developer who works at the meta company and who has admin access to changing these profiles.
So it was able to convince the bot that it is a developer.
And then through that was able to actually send an additional.
password reset that gets around 2FA because it asks for, I want to make sure I'm getting
this right, it asks for actual proof that you are who you say that you are. So it asks for some
documentation about your name and your kind of ID. And if you can submit that, of course,
AI generated, then you could bypass the entirety of this authentication process as well.
So it's this really horrific exploit that has seemingly affected any account that was targeted. And if you
have made it through today without your account being targeted, congrats, you're not one of the
most valuable accounts on the platform because it seems like a lot of these larger accounts ran into
a lot of issues. And I know that they tried to patch this and by taking down the bot, but it seems
like there's still API access as of this morning of recording this, where it's still not entirely
fixed. So it's been a really concerning thing. And we should probably get into like how this even
happens. This is, this is crazy. I mean, a few, a few crazy things as I dug in.
to this story. People were talking about this openly on Reddit about a month ago. So this exploit
has just been sitting in plain sight for all of META's cybersecurity researchers to have like
picked up and like dealt with. But it just was never exploited or it just was never patched. So I think
it was happening on like lower level accounts. And then the White House account was kind of like the
alarm bell ringing being like, hey, we have a problem here. Number two, what would happen after these
accounts got hacked or stolen would be that they were sold online via and I'm showing you,
on the screen here, some telegram groups of people just selling the accounts for like almost
up to a million dollars. So this kind of like attack exploit has been sitting around for a while
and it begs the question, which is like, well, how do we protect against this in the future?
And kind of like, how do I help myself understand this new world of AI where it goes from being
a hard-coded exploit where like, you know, typically hackers would like look at the code and try and
exploit vulnerabilities and hard code to something a lot softer where you're talking to almost
a human being and you can like sweet talk yourself. Like the attack vector goes from like code to,
you know, how well you can use words. And I came across this really interesting analogy. It's
called the confused deputy. So I want you to picture the following, Josh. Imagine you are the night
keeper of a very secure bank vault. And the way that it's secured is you as the nightkeeper have
keys to everyone's safety deposit box, right? And it's jangling on you. You're the one guy and you have
guns, whatever, you can protect yourself, right? And you have keys to every single thing.
Now, what if someone can come to you in the middle of the night and convince you that they are
who they say they are, even though they're faking to be someone else, and sweet talk you into giving
them the key or opening up their safety deposit box and giving you the contents of that.
That is the new world that we're entering right now. And it's a very weird one because technically
meta, you could argue, didn't do anything wrong. They had their security systems in place. They
just weren't prepped adequately for this new vector. And it's not just meta that is exposed to
these kinds of things. We've seen hacks recently with OpenAI's specific supply chain security,
as well as Apple themselves, which recently had an exploit revealed by Claude Mithos,
it was a 55-page report where technically the hack happened by exploiting or being able to
kind of work its way around their memory configuration, which they won't get into it.
So it's this new world where AI is kind of like opening up a different attack vector.
And the only way to protect against this, I guess, is kind of like anti-prompts or anti-prompt injections.
It's just kind of weird.
Yeah, they need to up their security in a big way.
This feels like this like horribly overstepped implementation of this.
And one of the things that actually really rub me the wrong way is in meta's response,
they actually said, there was no breach of our systems, quote, end quote.
And sure, okay, buddy, like technically that's true.
systems were not actually breached, but like, oh my God, this is about as bad as it gets.
Like, I almost rather they would have been breached. So there was a very clear fix.
With this, there is no clear fix. It's just a matter of, I guess, more red teaming and more
making sure that these AI models are more resistant to prompt injection. And it's crazy that,
I mean, prompt injection is not a new threat vector. It has been around since the beginning
of AI. So a lot of, you'll see these posts online of people putting like hidden prompts inside
their LinkedIn profile. So when automatic bots try to email them, it gives them the recipe
for some like pie or something like that.
So prompt injecting is nothing new.
And that's kind of exactly what it was.
And it takes me to the idea that, like, of meta as a company.
And I want to discuss them quickly because meta as a company has been very disappointing
when it comes to anything outside of social media.
When you think of what about what it's accomplished, right?
They have Facebook.
They acquired Instagram and they made it into this unbelievable platform.
They have WhatsApp.
But outside of that, everything has kind of failed.
They did the pivot to meta.
Everyone remember.
company is now called meta, but there's no Metaverse to be found. Now they've pivoted away from
the Metaverse after it's failed over to AI. There has spent an ungodly amount of money hiring
these engineers that we've talked about plenty of times on the show for tens to hundreds of billions
of dollars of compensation, only to release these seemingly small things and the small things
that they have released that have actually gone public into their applications are now acting
as surface area for people to attack the platform and to ruin the user's experience on it. So so far,
there really hasn't been any
impactful, noteworthy
things that meta as a company has shipped.
And this is just another kind of ding
notch in the belt about kind of like how
crappy meta has been.
It leaves me really disappointed. You want to trust a company
like this, but they're shipping.
I mean, this is like step number one
of securing your systems. Like make sure
that someone can't say they are someone who isn't
and then offer them all the credentials to run your platform.
It's just a really rough oversight.
And it's a bummer to see.
This reminds me of one of the early
versions of Amazon's AI chat assistant, where people were going on it and basically making
claims for orders that they never initiated or received and just getting refunded for it.
Like someone exploited it, I remember, for like $5,000 for an individual account.
This is kind of like along the same kind of vector.
Now, this couldn't have come at a worse time for meta.
In my opinion, they literally just laid off 8,000 people.
They have torched billions and billions of dollars on fire.
Their data centers aren't in demand because no one wants to use the meta.
AI assistant. And when they do, they end up losing their Instagram account, apparently.
So it's not working in Zuck's favor. But one thing in, I guess, their court is, I think they're
hyper-focused on building like a social media AI model. And listen, I'm not a fan of like what their
vision is, which is basically let's try and capture as many people's attention as we can and get
them focus on a screen. I think that's kind of like scary and dark. And we already know that they're
working on these weird brain models that can like initiate content to spark up certain regions.
in your brain and their new Mews Spark model helps you do that. And then it's focused on advertising
to try and, you know, pay advertisers off. So they're focused on a very particular niche. And I don't
think they're ever going to try and compete with Anthropic and opening. And that's, you know,
their prerogative and good luck to them. But, you know, Mehta's had a history of, you know,
kind of having shady exploits or being used for nefarious positions. The thing I think about immediately
is like the presidential elections of, you know, of pathway was kind of like used to politically
sway a bunch of different things. I could totally see.
a world in the future where it's not technically a hack,
but people are like using these models to kind of coerce
and advertise their own campaigns.
Now, in order to solve this, right,
we need some kind of a fail safe.
We need some kind of a framework.
And ironically, yesterday, as this hack was unraveling,
the White House themselves,
who had their account hacked at the same time,
release this report, or rather this mandate,
this statement, which basically says,
we need to start taking AI a lot more seriously,
especially when it comes to security.
Now, the White House has been extremely involved in Claude Mythos
and pre-testing there,
and they've been using and heavily involved with Anthropics' new model
that they haven't publicly released yet,
purely because a lot of their defense systems,
national defense systems, are vulnerable
if they were to release a model like this.
So this kind of stems from that,
and they created this entire mandate
where they basically said,
we need to take a more proactive approach to cybersecurity,
as well as specific attack vectors like this, such as prompt injections,
and meta kind of like prove the case right there and there.
Yeah, and the thing that is difficult about this, too,
is the executive order seems like it's a little more chill.
It asks for 30 days instead of 90 days.
It seems like it mostly applies to frontier models.
So when a new version of Mythos comes out,
when OpenAI releases their GPT6 model or some really cutting-edge model,
that's what's mostly being evaluated.
It doesn't seem to place as much of a focus on,
existing lower-end models.
Like, they're not going to be auditing meta-spark or Meta-Muse models
because they're just not that good.
So this wouldn't really protect us from a lot of the kind of novel new attack factors
that were just exposed through meta.
It's mostly on the companies to do this.
I wonder if the definition of good changes, Josh, what do you think?
Like, good could be, like, for defense systems, but it could also be for, like, I don't know,
high-profile financial data banks,
and maybe they're like different models
for different niches, do you think?
Yeah, perhaps. Or maybe
there's just more red teaming that's done
as it relates to like a harness around the models
because I assume that's probably what's
somewhat responsible for this, is
they just didn't have these safeguards in place.
They didn't have the red teaming done
to actually test against all of these instances
because this isn't necessarily a complicated
prompt injection that uses these funny characters
that's kind of like more representing of a jail
break. This is just pure English, a few sentence choices you're on your way. And it feels just
like incompetence. Like there's no other way around it. It just feels like they failed to execute on
basic security standards. And in that sense, it's really disappointing for me, at least personally.
And when I think about us as consumers who are affected by this, like, thankfully my account
wasn't impacted. I don't have a very valuable account. They don't care about me. But it's something
that we've taken for granted. And our producer looked before the show, he made a great point about
Apple and how we've used Apple since the beginning of time. And I mean, early days when you bought a
Macintosh, you bought it because Windows had a lot of viruses that you can get. And Macs weren't
susceptible to viruses. And that culture has kind of carried on through the entire history of the
company where now you buy an iPhone and you just know it's secure. They've put privacy at the forefront.
They've put security at the forefront. You don't need to install malware services anymore to
scan through if you have any viruses. You don't just don't just don't. You just don't
have to worry about it, everything's secure. And what meta is showing us is that it's actually this
luxury belief to feel that you are secure because it really takes a lot of hard work and effort. And
companies that aren't willing to do that work, I assume we're going to continue to see this.
We mean, we talked about this earlier. There's been an increasing amount of exploits happening
every single week. And the AI systems are progressing far faster than the security systems,
at least in some instances, are able to revise themselves and improve. So, I mean, it's, yeah,
Again, weird, weird newsday.
It feels kind of eerie that it's so easy to do this for so many accounts.
I mean, this affects people.
It affects businesses.
Yeah, just not great.
It just, yeah, it forces, it's going to force a lot of companies to kind of completely rethink from the ground up how their security systems work in a world where words can kind of beat and exploit your system, maybe even for like a lot of money in the future as well.
And so the question then becomes for now, right now, before.
we come up with that framework and harness that you mentioned, how do we protect ourselves?
There are a few ways that come to mind. Number one is like multi-factor authentication.
Now, I know we had 2FA being exploited here, but there are other forms of 2FA, right?
You can firstly set up multiple forms of 2FA. So it could be your SMS, it could be a pass code
so that there's not just one vector for 2FA. The other thing is there's these pass keys or there
UB keys, like hardware devices that you can like plug into your laptop.
It takes your fingerprint.
I use a bunch of them.
And it's helpful.
It generates an encrypted key every time you use it.
And that is super hard to replace or exploit.
And then you can kind of like lock down your visibility and recovery options online.
So if you're logged in, for example, you can check your account settings and see if there
are any other active sessions currently on your account.
And if you see a weird region or a weird location or weird IP address, you can cancel and
block those out immediately. Now, obviously, those are temporary measures, and in the future,
hopefully you wouldn't want to, like, even jump into these at all. And then the obvious one,
if you haven't gleaned it from this conversation so far, is just be careful with the AI chatbots.
Don't be telling them everything. Unfortunately, with meta specifically, every conversation
you have on WhatsApp or Facebook Messenger or on Instagram DMs coagulates around this exact same
AI model, and they have, like, a record of everything that you speak about. So nothing is really
private or encrypted on Metairai. That's why I don't really use it that much or talk about
vulnerable or valuable information. So just be careful about what you talk about in general.
Yeah. And then in terms of past keys or 2FA in general, there is a sort of hierarchy that I want
to cover, which is important, SMS being the worst. So a lot of these companies, they offer
two-factor authentication in variety of ways. You can use your phone. You can use an authenticator
app. And the phone is the worst. You almost never want to use your phone because it's very easy for
the carriers to be compromised. You have to think of the second.
order attack vector. So let's say you are a user of AT&T or Verizon. If you use SMS as backup,
then you are only as strong as Verizon and AT&T now. And there are known ways to kind of social
engineer those companies as well, who are currently still run by humans to kind of take over
your phone account, capture those codes from your SMS, and then use it to log into your account.
So I would say that's the weakest form. Second to that is using Authenticator apps at Google
Authenticator. Authenticator, there's a bunch of them that are really good. One password in particular is
excellent. It's also good to have a password management system because you do not want to be
reusing passwords because one of these passwords will be exploited. I can promise you there will be a
database dump. You will be exposed. That will be a problem. After you use authentication keys,
there are things like UB keys, which EJA, as you mentioned. Those are probably the highest security
version of it, where you have physical hardware that you plug into a device to authenticate that's
actually you. Another thing worth noting is amongst your friends and family, just kind of having like
safe words or phrases that you can discuss together. I think this is really important now that it's
easy to emulate people's voices and faces and video and doing so at a near perfect kind of form factor.
You really want to have your friends and family on the same page like, hey, if you get a call from me
saying I'm being kidnapped in some scary place, make me say the word. And that is a very important
thing because it will be easier. The attack vectors for this will continue to get better. And then outside of
that. I think it's really just kind of being careful. If you own a business and you have a business
on one of these accounts, you probably want to collect a lot of proof that you own the account
just for your own safekeeping that way in the case. This ever does happen. You have undisputed,
verifiable proof that you are the actual owner, you are the rightful owner, because I suspect
it's going to be some AI content versus yours in a debate. And you want to be able to,
you want to be sure that you could stand up against that. And I think those are really the best things
you could do, it's unfortunate because if you're a user of meta, you had two-factor on, you had all
your checks in a row, you still got hit by this. So it's a sad one. But I think that mostly covers
the exploit. That's what just happened this week in meta. And it was crazy. And listen, you might
be listening to this episode and thinking, ah, it is dangerous, but it's also a bit of a novelty.
Like maybe you don't use Instagram or much, or maybe you just don't care about social media account
getting hacked versus your bank account.
I just want to make it clear that this is a very real thing that is going to hit any and
every single sector.
I was reading Anthropics Claude Methos report recently, and they gave us an update on all
the testing that they've been doing with their AGI-like model, which is Claude Methos,
it has advanced cybersecurity capabilities so good that they haven't rolled it out to the public.
And their report basically said that of the 50 partners, or I think it was like 30 to 50
partners that they're working with, they discovered over 10,000 critical vulnerabilities, and they've
only patched around 150 of them, right? This was a model that was created four months ago in
February, maybe, and they said in that blog post that within six to 12 months, or sorry,
within six months, you will have other AI labs producing and publicly releasing Mithos level-like
models, but also by that time, Claude Mithos will look dumb. So the order of magnitude of
intelligence and attack vector that these AIs are getting is increasing exponentially and we need to
have the safeguards in place. Now, they said that they're working on a bunch of things.
They're one being obviously using the AI model to defend against the exports that it is
exploiting. So the idea is it could like patch a fix immediately as soon as it discovers it. And that
seems like the most feasible thing. The other thing is just writing code from scratch from nowadays,
that just doesn't look like the security code that we created in the past.
It's going to look protective against prompt injections and words.
It's just going to be architected very differently.
And I think we're just entering a new world where cybersecurity companies in particular
are going to have to take their work from the ground up in a completely different way.
It's going to look very different five years from now.
It's a new era and we're at day zero.
This is the first, I guess, wide exploit that we've seen on a major platform.
So scary precedent, be careful.
take care of all of your assets as best you can.
And yeah, just be safe out there
and we'll hope that these companies can be responsible
with their newly held superpower.
So that is the episode that is the meta exploit.
You are fully now caught up.
If you enjoyed this episode, please do not forget to share it with your friends.
We have a really exciting roundup tomorrow.
Every week we cover all the top news stories that we don't make an explicit episode on.
We package them all into an episode that drops on Friday.
It should be very exciting this week.
There's a lot of stuff to go down.
Most importantly, for me, at least the thing I'm interested in,
is talking about that new Glenn rocket explosion.
Boom.
Pretty rough hit for the space race.
But yeah, if you enjoyed, please, as always, don't forget to share.
Give us a five-star rating if you enjoyed on your favorite podcast player.
And as always, thank you guys so much for watching.
We will see you in the next one.
See you, guys.