Instagram users have reported a series of account takeovers in which attackers allegedly bypassed Meta’s security mechanisms using the company’s own artificial intelligence tools.
According to the affected users, the attack allowed threat actors to gain control of accounts even when the owners had completed identity verification through facial scans and had two-factor authentication (2FA) enabled.
Particular criticism has been directed at Meta’s account recovery system. Many users say that after losing access to their accounts, they become trapped in a loop of automated support where all requests are handled by chatbots and AI assistants, with no way to contact a human representative.
Among the profiles reportedly affected were an account previously used by the Obama White House team, the account of app researcher Jane Manchun Wong, as well as the well-known Instagram accounts @hey and @korn.
The owner of @korn said they spent around six hours trying to get assistance from Meta, only to receive several broken links from the company’s AI-powered support system.
According to the user, the situation is absurd: one AI system helped facilitate the account takeover, while another was unable to restore access to the legitimate owner.
Journalists and users investigating the incident claim that the attack method itself was relatively simple. The attacker would initiate the account recovery process through the “Forgot Password” feature and then interact with Meta’s AI assistant, convincing it that they were the rightful owner of the account.
When asked to verify their identity with a selfie, attackers allegedly took a photo directly from the victim’s Instagram profile and processed it through an AI video generator to create an animated version of the face. The resulting video was then submitted for verification.
According to a user named Andre, Meta’s systems were unable to reliably distinguish a genuine selfie from an AI-generated facial video. This reportedly allowed attackers to pass identity checks and effectively bypass 2FA protections.
Reports also suggest that some attackers used VPN services to appear as though they were connecting from the victim’s usual geographic region. This helped them avoid additional security checks that might otherwise be triggered by logins from unusual locations.
After successfully changing the email address associated with the account, the attacker could initiate a password reset and complete the account takeover.
Some reports also claimed that this method may have been used to compromise extremely rare single-character Instagram accounts, including @e and @f. However, other sources dispute this claim, suggesting that these usernames may have been transferred by someone with internal access to Meta’s systems. Neither scenario has been independently verified.
Single-letter Instagram accounts are considered some of the most valuable assets on social media and can reportedly sell for tens of thousands of dollars on the black market.
Meta has not yet issued an official statement regarding the incident. However, Andy Stone, Meta’s Vice President of Communications, responded to one of the affected users on social media, stating that the issue had been resolved and that the compromised accounts had been secured.
