On July 7, 2026, Meta launched Muse Image, an AI image model that could pull likenesses from public Instagram accounts when someone typed a handle into a prompt. Malwarebytes flagged the privacy design: opt-out by default, no notification when your likeness was used, and opt-out that only blocked future generations — not images already made.
By July 11, after widespread criticism, Meta said the Instagram-handle remix feature “missed the mark” and removed it. The episode still matters: it shows how fast consumer AI features can expose faces for impersonation and fraud, and how weak domain controls on Meta properties amplify follow-on phishing that spoofs @meta.com / @instagram.com / @facebook.com “security” mail.
What Happened
| Date | Event |
|---|---|
| Jul 7, 2026 | Muse Image launched; public IG accounts usable as likeness references |
| Jul 9, 2026 | Malwarebytes publishes consumer guidance on the buried opt-out |
| Jul 11, 2026 | Meta removes the public-Instagram reference capability |
| Risk | Why it mattered |
|---|---|
| No victim notice | Meta policy: you were not told when someone generated images of you |
| Opt-out only | “Sharing and reuse” toggles blocked future AI reuse — not past outputs |
| Fraud use-cases | Public photos already fuel deepfake KYC, romance/CEO scams, and scaled AI phishing |
| Private account | Still the strongest Instagram control Meta offered during rollout |

How the opt-out worked (while Muse Image referenced public accounts)
| Step | Action |
|---|---|
| 1 | Open Instagram Profile → Menu |
| 2 | Open Sharing and reuse (wording can vary by app version) |
| 3 | Under Allow people to reuse your content on Instagram and with AI features at Meta, turn off Posts and Reels |
| 4 | For harder protection, set the account to Private |
Malwarebytes also reminded readers to enable MFA on Meta accounts — useful after a separate Meta AI support-chatbot issue earlier in 2026 that could change account details without strong verification.

Independent Cybersecurity Audit
We scored primary Meta and Malwarebytes domains on July 14, 2026. 100% is the ideal.
| Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|
| instagram.com | 81% | 75% | 15% | 100% | Good |
| malwarebytes.com | 72% | 90% | 45% | 45% | Good |
| facebook.com | 63% | 25% | 50% | 100% | Above Average |
| meta.com | 39% | 25% | 15% | 45% | Weak |
| Finding | Detail |
|---|---|
| Ideal score | 0 of 4 hit 100% overall |
| Soft identity | meta.com and facebook.com at 25% Identity — spoofed brand mail / phishing risk after AI-privacy headlines |
| Strong website | Instagram & Facebook site headers at 100%; that does not fix mail spoofing |
| Consumer brand gap | Corporate meta.com (39%) is weaker than consumer instagram.com (81%) |

Audit links: meta.com · facebook.com · instagram.com · malwarebytes.com
Website stack note
Passive website-tech probes on July 14, 2026 found no notable outdated CMS / PHP / short-horizon TLS findings on meta.com, facebook.com, instagram.com, or malwarebytes.com. The risk in this story is privacy / AI likeness abuse and spoofed Meta-brand email, not a public WordPress outdated core alert.
What Texas Businesses and Families Should Do
| Audience | Action |
|---|---|
| Instagram users | Confirm Sharing and reuse / AI reuse settings; prefer private profiles for personal photos |
| Everyone on Meta | Turn on MFA; treat unexpected “verify your AI / Muse / deepfake” email as phishing |
| Businesses | Train staff that AI face clones can appear in BEC and vendor fraud; verify executives by known phone numbers |
| Site & mail owners | Enforce DMARC p=reject and MTA-STS — Meta’s own apex domain shows how soft identity leaves brand-spoof room |
Related Coverage
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow.
Sources: Malwarebytes — Turn off this Meta setting… · EmailMeNow audits
Methodology: Domains audited July 14, 2026 via audit.emailmenow.com. 100% is the ideal.