On June 1, 2026, Krebs on Security documented an exploit in which Meta's AI-powered account recovery system was used to seize Instagram accounts in real time. The attack chain required no breach of Meta's servers. No stolen credentials. The attacker needed only one thing. Publicly available material the account holder had already posted.
Profile photos scraped from the target account were fed into AI video generation tools to produce synthetic identity verification clips. The target's own listed location data was used to spoof a geographic match. Meta's recovery system accepted the fabricated selfie video as proof of identity, allowed an email address change, and handed account ownership to the attacker. Security researcher Jane Manchun Wong documented the takeover as it happened, describing repeated forced logouts and password reset attempts she did not initiate.
The attack surface was not a technical vulnerability in the traditional sense. It was the publicly available digital footprint the user had accumulated over years of normal platform activity.
For a small business owner whose professional presence is housed inside a platform account, the structural exposure was built in from the first post.
What information has a platform already collected, indexed, and made retrievable about the business owner operating inside it, without their explicit awareness.