Attackers abused Instagram's AI-driven account recovery system by using AI-generated animated videos derived from victims' photos to pass facial verification checks. This allowed them to change the email addresses linked to accounts and reset passwords, effectively hijacking accounts despite two-factor authentication protections. The automated support system does not provide a human escalation path, trapping victims in unproductive chatbot loops. Some attackers also used VPNs to mimic victims' geographic locations to bypass additional security checks. Meta acknowledged the issue and indicated it has been resolved and affected accounts secured, but no formal vendor advisory or patch details have been published.

Successful exploitation results in account takeover, including high-value and rare Instagram accounts. Attackers can bypass two-factor authentication and geolocation checks, leading to loss of account control for victims. Victims face significant difficulty recovering accounts due to the lack of human support in the recovery process. The incident undermines trust in AI-based verification and automated support mechanisms.

Meta has stated the issue has been resolved and impacted accounts are being secured. No further action is required from users at this time. Users should monitor official Meta communications for updates. Because no official patch or detailed advisory is available, users should remain vigilant and report suspicious activity to Meta.