This post is also available in:
עברית (Hebrew)
Account recovery systems are designed to help users regain access when they lose passwords or login credentials. Increasingly, these processes rely on automation and AI-driven identity verification to reduce support workloads and accelerate recovery. But as these systems become more sophisticated, they are also creating new attack surfaces for cybercriminals.
A recently reported campaign highlights that risk. Attackers reportedly exploited weaknesses in automated account recovery workflows to take control of Instagram accounts, including rare usernames and high-profile profiles. Rather than breaking into the platform directly, the operation appears to have targeted the recovery mechanisms intended to verify legitimate account ownership.
According to Cyber News, the attack combined several techniques. First, attackers allegedly gathered publicly available information from target profiles, including location details and profile photos. They then used AI-generated selfie videos created from those publicly available images to pass automated identity verification checks.
The attack reportedly abused account recovery tools designed to help users regain access after being locked out. Once the automated system accepted the AI-generated verification material, attackers were able to change the email address associated with the account. Control of the email account effectively gave them ownership of the profile, allowing password reset requests to be redirected away from the legitimate user.
Researchers also described the incident as an example of a “confused deputy” attack. In this scenario, the recovery system itself is not compromised directly. Instead, attackers manipulate a trusted service into performing actions on their behalf. The distinction is important because the vulnerability lies not in breaking security controls, but in convincing automated systems to misuse their existing permissions.
From a cybersecurity perspective, the incident illustrates a growing challenge as AI is integrated into identity verification and customer support workflows. Systems that rely on facial verification, conversational AI, or automated recovery processes may become attractive targets for attackers using increasingly realistic AI-generated content.
The case also highlights the limitations of fully automated recovery systems. Several victims reportedly struggled to regain access because recovery channels themselves relied heavily on chatbot-driven support with limited access to human review.
While the affected platform stated that the issue was patched, the incident underscores a broader trend: as AI improves identity verification, it is simultaneously creating new opportunities for AI-assisted impersonation attacks.
