I get that account recovery for sites with hundreds of millions of users is a huge burden they're struggling to manage but I'm shocked they didn't restrict such loose verification to the >90% of lower value accounts that aren't worth stealing and keep the stricter verif on high-value accounts.

The next obvious thing would be to let accounts the algorithm judges to be low-value still opt-in to strict verif. The vast majority of low-value accts won't bother flipping it on if the option is buried two menus deep, but many of the few low follower/views accts who are targets for some other reason (political, stalker, etc) - know they are targets and can self-protect by opting in, further reducing account hijacks.

So, before we even get to whether this 'loose' verif is "bad", those two simple implementation changes would certainly have cut the bad outcomes of a (potentially) bad idea by >95%.

This is how account recovery procedures used to work at a certain gaming company. They used to train support agents on what makes an account high-value and apply additional scrutiny to those recovery cases, while letting low-value accounts be recovered with less information. It worked, for the most part, but because the valuation of a given account was based on the agent, some agents used to value accounts differently. You could get away with stealing a high-value account if you got the right agent in a support ticket. The tradeoff in this case was time spent - you'd have to create a lot of email addresses and plausible but vague tickets, though some attackers automated that process. Eventually, they just applied the same scrutiny level against every account and called it a day.

[dead]