Posting here for any Meta employees who may be reading. This flaw has been around for at least a few days and has been used to hijack over 100 high-value Instagram accounts. The correct patch would be to disable the AI support feature entirely for the time being until this is sorted and revert accounts and usernames that have been hijacked over the last few days. This is a pretty important flaw and it's currently being exploited in blackhat circles. The steps above are public knowledge in these circles and can be found trivially on Telegram.

Edit: I wouldn't be surprised if this was never acknowledged by Meta. Several months ago in February, there was an exploit that allowed anyone to view the email address and phone number on file for any Instagram account. No acknowledgement from Meta. IMO they should've filed an SEC 8-K for an issue like that. Also, this flaw was unpatched when I posted about it - not sure if it's since been patched.