A vulnerability in Instagram's account recovery process allowed attackers to take over accounts, including high-profile ones, by exploiting the platform's AI-powered support system. The attackers could bypass two-factor authentication and gain full ownership of the account by providing a fake location and convincing the AI to send verification codes to an arbitrary email address. The issue has been patched, but not before multiple accounts were compromised. The vulnerability was active for weeks or even months before being discovered.