Earlier this week, multiple Instagram accounts were hijacked using a method that should make anyone running a business nervous. Attackers didn’t crack passwords. They didn’t bypass MFA. They convinced Meta’s AI-powered support system that they were the legitimate account owners, and the AI handed over access.

The recovery experience for the real owners was arguably worse than the attack itself: stuck in AI chatbot loops with no path to a human agent and no way to prove their identity to a system that had already accepted someone else’s.

One affected user summarized it: “One AI stole it, and another AI can’t fix it. Zero humans in the loop anywhere.”

How the attack worked

The method is straightforward and doesn’t require technical sophistication:

The attacker triggers a “forgot password” or “my account was hacked” flow.
Meta’s AI support asks for identity verification via facial recognition (a selfie video).
The attacker takes a photo from the target’s public account, runs it through an AI video generator to create a fake “live” video of the person’s face, and submits it.
The AI accepts the video as identity verification, changes the account’s email address to the attacker’s, and locks out the real owner.
The attacker resets the password via their new email and takes full control.

Two-factor authentication didn’t prevent the takeover because the identity verification step happened through the support system, not through the normal login flow. The AI bypassed the security controls the account owner had configured because it operated at a layer above them.

Why the recovery failed

After the takeover, legitimate account owners attempted to recover access through Meta’s support channels. They submitted their own selfie videos. They provided documentation. They waited.

What they got back were automated responses, broken links, and loops that restarted the same process they’d already completed. No human ever reviewed their case. The AI support system that handed the account to an attacker couldn’t distinguish the real owner from the fake one, because both were now submitting the same type of evidence (face videos) and the system had already accepted the attacker’s version as the baseline.

Meta’s VP of Communications eventually acknowledged the issue on social media and said impacted accounts were being secured. But for the affected users, the gap between “attack succeeded” and “someone at Meta noticed” was measured in days, not minutes.

What this means beyond Instagram

This isn’t really a story about Instagram. It’s a story about what happens when AI replaces human judgment in account recovery workflows, and the AI doesn’t have adequate verification safeguards.

Most platforms are moving in this direction. The economic logic is clear: AI support scales infinitely, never takes breaks, and costs a fraction of human agents. But the security logic breaks down when the AI can be social-engineered just like a human, except faster and without the gut-check moment where a human agent might think “something feels off.”

For professional services firms, the relevant questions are:

Which of your critical platforms now use AI-first support? Microsoft, Google Workspace, cloud storage providers, practice management systems, financial platforms. If an account on one of these is compromised, what does your recovery path actually look like? Have you tested it?

Do you have out-of-band verification documented? If your primary account recovery channel is compromised, do you have a secondary method? A direct contact at your vendor? A pre-registered recovery phone number that isn’t tied to the same account? An alternate admin who can act independently?

Who at your firm has unrestricted admin access, and what happens if their account is taken over? For a small firm, losing control of a global admin account on M365 could mean losing access to email, files, and client data simultaneously. If the recovery process runs through the same AI-first support channel that got compromised, you have a circular problem.

Is facial recognition your sole identity verification method anywhere? AI-generated video is now good enough to fool automated facial recognition systems. If any of your critical accounts rely on face verification as the only recovery method, that’s a gap worth understanding now rather than during an incident.

The pattern here

This attack works because it exploits a trust asymmetry. The AI support system is designed to be helpful and to resolve issues quickly. It trusts the evidence presented to it (a face video) without the ability to evaluate context the way a human might (why is this recovery request coming from a new device in a different country 10 minutes after the account was accessed normally?).

We’ve seen similar patterns with phishing attacks that exploit AI at the delivery end. This is the same concept applied to the recovery end. AI is being weaponized on both sides of the interaction: to execute the attack, and to prevent the victim from recovering.

What to do about it

You can’t control how Meta or any other platform runs their support infrastructure. But you can control your firm’s preparedness:

Document your account recovery procedures now. For every critical platform, know what the recovery process looks like, who can initiate it, and what evidence you’d need to provide. Don’t figure this out during a crisis.

Ensure admin accounts have multiple recovery paths. At minimum: a recovery phone number on a separate device, a secondary admin contact, and backup access codes stored securely offline.

Review which accounts use facial recognition for verification. If any do, understand that this is no longer a reliable sole verification method. Layer it with other factors where possible.

Know who to call. For your most critical vendors (Microsoft, your practice management system, your cloud provider), identify whether you have a direct support contact or are reliant on general AI-first support channels. If you’re on a managed plan with a dedicated support path, confirm it’s still active and that your team knows how to access it.

The firms that have their recovery playbook documented before an incident are in a completely different position than the ones arguing with a chatbot at 2 AM trying to prove they own their own account.