Disable Any Instagram Account
With this simple security hole, tricking Meta AI into disabling any user account is easy (and free)
Meta finally allowed me to see the data associated with my banned Facebook account and their AI-driven decision to ban journalism.
Want to learn how to have any Meta account taken down for free? Keep reading.
My accounts, based in Thailand, were only accessed in Thailand until around December 1st, 2024- when I began posting my new series focused on various issues, including human interest, the environment, and neglected conflicts in Southeast Asia.
I was banned for “Human Exploitation” by AI at Meta, and it was upheld by the WhatsApp Business spokesperson Emily Westcott.
According to the records, Pre-authentication Enrollment Flows (login sessions) were completed several times during the month in several countries worldwide, from Honduras and Ukraine to Iraq and the Philippines.
These login sessions continued without my knowledge until Meta removed all my accounts. The Pre-Authentication Flow Enrollments even persisted in attempts to access the accounts after they were disabled.
Pre-authentication refers to users interacting with the system before their identity is verified. Scammers exploit pre-authentication and enrollment flows by manipulating vulnerabilities in how accounts are created or authenticated before secure access controls are fully enforced.
These enrollment flows often involve actions like:
Creating a new account.
Linking accounts from across platforms (e.g., WhatsApp, Facebook, Instagram)
Account recovery
These flows, particularly concerning Meta’s systems, involve less-than-necessary security checks to authenticate users, allowing bad actors, “hackers,” and AI to target influential people, journalists, businesspeople, et cetera, and exploit the holes in linked Meta accounts by manipulating it’s Pre-Authentication Account Takeover Vulnerability. This is done in a couple of automated ways:
Email Enumeration or Username Guessing: Testing if a particular email or username exists during the signup process. If the system gives specific responses like “Email already in use,” it confirms a valid account exists and paves the way for targeted attacks.
Automating account creation, flooding the platform with fake accounts for spamming or phishing- in my case, reporting the account as participating in “Human Exploitation.” This triggers AI moderation to disable the accounts.
When Meta AI receives the fruits of these attacks, like reports, and they are serious- such as this user, removed for Child Exploitation, they disable and move on. Again, letting AI drive the whole car.
It is because of these vulnerabilities that my accounts have been disabled. Research into the tech of this problem and its other intricacies indicates that this issue is becoming more prevalent, though it has been around for some time.
By targeting these early stages of interaction, hackers are (at the time of writing) simply able to bypass traditional authentication mechanisms, making pre-authentication and enrollment flows a critical and wide-open hole in security that will undoubtedly result in the proliferation of more of these types of scams, whose primary victim is free speech and due process.
4.5 months have elapsed since this article was published. Has Meta fixed anything?
I have the same. My account is dissable since this night. Everything is gone.