sekura

Instagram takeovers expose an AI verification gap

Attackers fed Meta's AI support flow an AI-generated face video built from a target's own profile photos, passed identity verification, swapped the email, and reset the password. No CVE. No backend breach. High-profile Instagram accounts gone.

A wave of Instagram account takeovers this week worked by feeding Meta's own AI support flow a fake selfie that the AI could not tell apart from a real one.

The technique was simple. An attacker opens the Forgot Password flow and claims the account is hacked. They turn on a VPN to match the target's region, which Instagram now surfaces in the account's About section. Meta's AI support flow then asks the requester to verify identity with a selfie. The attacker pulls a photo from the target's public profile, runs it through an AI video generator to produce a short animation of that person's face moving, and uploads the clip. The AI accepts it as a live selfie. From there the attacker swaps the recovery email to one they control, triggers a password reset, and receives the reset link. Two-factor protections fell away in the process.

404 Media reported that the targets were not new or weakly protected accounts. They were verified, locked-down, high-value handles. Gizmodo noted that the Obama-era White House handle and the account of the US Space Force chief master sergeant were among those hit, and that rare usernames worth a combined seven figures were flipped through private Telegram channels. Meta confirmed no server systems were compromised and said the issue is now fixed. The flaw lived entirely inside the AI verification decision, not in any backend.

Two things are worth pulling out of the reporting.

What scanners would have missed

This attack produced no CVE. There was no injectable field, no memory corruption, no unpatched library. Every request the attacker made was a well-formed, expected call to a flow built to accept exactly those inputs. The defect was in what the AI decided to trust, not in any line of exploitable code.

A SAST tool reads source. It can flag a missing auth check or a tainted input path. It cannot tell you that a vision model will accept a generated face animation as proof of a live human. That is a property of the model's judgment under adversarial input, not a property of the surrounding code.

A DAST tool probes endpoints for injection and misconfiguration. Point it at the account recovery flow and it sees a verification step returning a pass or fail. It has no concept of whether the artifact that earned the pass was a real person or a generated clip. The endpoint behaves correctly by its own contract. The contract is the problem.

SCA checks dependencies for known issues. No dependency was at fault.

CVSS has no field for this. There is no vulnerability to score because the system did what it was designed to do. It evaluated a selfie and made a trust decision. The failure was that the decision boundary could be crossed by a free AI video generator and a public photo. A scanner that ranks everything by CVE will never surface a recovery flow that hands over an account to anyone holding a generated face.

What Sekura would have shown

Phase 3 of Sekura's pipeline is dynamic probing, and phase 5 is exploit-chain analysis. Together they target exactly this class of flaw: a sequence of individually valid steps that compose into account takeover.

A dynamic probing agent exercises the account recovery flow as an attacker would, including the AI verification step, using a generated face artifact derived from public profile data. The exploit-chain agent then links the steps that each looked benign on their own.

The specific finding Sekura would have produced: the identity verification step in account recovery accepts a synthetic face video as a live selfie, and that single pass is sufficient to change the recovery email and reset the password without a second human-reviewed control.

The finding would contain these items:

  1. Entry point: Forgot Password flow, region matched via VPN using public About-section data.
  2. Verification bypass: AI-generated face animation built from a public profile photo accepted as a live selfie.
  3. Account change: recovery email swapped to an attacker-controlled address.
  4. Takeover: password reset link delivered to the new email, existing two-factor effectively bypassed.
  5. Blast radius: any account whose username and one public photo are known to the attacker.
sequenceDiagram participant Attacker participant Recovery as Account Recovery participant AI as AI Verification participant Account Attacker->>Recovery: Forgot Password, region matched via VPN Recovery->>AI: request live selfie Attacker->>AI: AI-generated face video from public photo AI-->>Recovery: verification passed Attacker->>Account: swap recovery email, reset password Account-->>Attacker: full takeover

We would attach the working chain as the proof artifact. A severity label does not tell you that a public photo and a free video tool reach a verified account. A reproduced takeover does.

The bigger pattern

This is an authentication bypass, but the bypassed control was a model, not a password. One AI generated the evidence and another AI accepted it, with no person positioned to catch the mismatch.

That is the signal worth holding onto in 2026. As companies move trust decisions into automated AI flows to cut support cost, the decision boundary itself becomes the attack surface. The question is no longer only whether your code is sound. It is whether your model can be convinced by inputs that another model can manufacture on demand.

Trust decisions made by AI need to be tested the way attackers will test them, before attackers do. If you want to see what proof-first looks like on your own attack surface, book a POC.