Back to news
Cybersecurity Alert
July 14, 2026 by EmailMeNow IT Consulting

Meta Let Anyone AI-Generate Your Instagram Likeness — Then Pulled Muse Image

Malwarebytes warned that Meta’s Muse Image (July 7, 2026) let strangers generate AI images from public Instagram handles with no notice. Meta reversed the feature July 11. Audits score meta.com 39%, facebook.com 63%, Instagram 81% — none at the 100% ideal.

Source: Malwarebytes · Meta

NewsPrivacyAIInstagramMetaDeepfakeCybersecurity
Meta Muse Image Instagram AI likeness privacy warning illustration

On July 7, 2026, Meta launched Muse Image, an AI image model that could pull likenesses from public Instagram accounts when someone typed a handle into a prompt. Malwarebytes flagged the privacy design: opt-out by default, no notification when your likeness was used, and opt-out that only blocked future generations — not images already made.

By July 11, after widespread criticism, Meta said the Instagram-handle remix feature “missed the mark” and removed it. The episode still matters: it shows how fast consumer AI features can expose faces for impersonation and fraud, and how weak domain controls on Meta properties amplify follow-on phishing that spoofs @meta.com / @instagram.com / @facebook.com “security” mail.

What Happened

DateEvent
Jul 7, 2026Muse Image launched; public IG accounts usable as likeness references
Jul 9, 2026Malwarebytes publishes consumer guidance on the buried opt-out
Jul 11, 2026Meta removes the public-Instagram reference capability
RiskWhy it mattered
No victim noticeMeta policy: you were not told when someone generated images of you
Opt-out only“Sharing and reuse” toggles blocked future AI reuse — not past outputs
Fraud use-casesPublic photos already fuel deepfake KYC, romance/CEO scams, and scaled AI phishing
Private accountStill the strongest Instagram control Meta offered during rollout

Illustration: Instagram Sharing and reuse toggles used to opt out of Meta AI content reuse

How the opt-out worked (while Muse Image referenced public accounts)

StepAction
1Open Instagram ProfileMenu
2Open Sharing and reuse (wording can vary by app version)
3Under Allow people to reuse your content on Instagram and with AI features at Meta, turn off Posts and Reels
4For harder protection, set the account to Private

Malwarebytes also reminded readers to enable MFA on Meta accounts — useful after a separate Meta AI support-chatbot issue earlier in 2026 that could change account details without strong verification.

Illustration: AI deepfake likeness used for identity verification fraud and social-engineering scams

Independent Cybersecurity Audit

We scored primary Meta and Malwarebytes domains on July 14, 2026. 100% is the ideal.

DomainOverallIdentityTransportWebsiteLevel
instagram.com81%75%15%100%Good
malwarebytes.com72%90%45%45%Good
facebook.com63%25%50%100%Above Average
meta.com39%25%15%45%Weak
FindingDetail
Ideal score0 of 4 hit 100% overall
Soft identitymeta.com and facebook.com at 25% Identity — spoofed brand mail / phishing risk after AI-privacy headlines
Strong websiteInstagram & Facebook site headers at 100%; that does not fix mail spoofing
Consumer brand gapCorporate meta.com (39%) is weaker than consumer instagram.com (81%)

Illustration: domain security audit scoreboard for meta.com facebook.com instagram.com and malwarebytes.com

Audit links: meta.com · facebook.com · instagram.com · malwarebytes.com

Website stack note

Passive website-tech probes on July 14, 2026 found no notable outdated CMS / PHP / short-horizon TLS findings on meta.com, facebook.com, instagram.com, or malwarebytes.com. The risk in this story is privacy / AI likeness abuse and spoofed Meta-brand email, not a public WordPress outdated core alert.

What Texas Businesses and Families Should Do

AudienceAction
Instagram usersConfirm Sharing and reuse / AI reuse settings; prefer private profiles for personal photos
Everyone on MetaTurn on MFA; treat unexpected “verify your AI / Muse / deepfake” email as phishing
BusinessesTrain staff that AI face clones can appear in BEC and vendor fraud; verify executives by known phone numbers
Site & mail ownersEnforce DMARC p=reject and MTA-STS — Meta’s own apex domain shows how soft identity leaves brand-spoof room

Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow.

Sources: Malwarebytes — Turn off this Meta setting… · EmailMeNow audits

Methodology: Domains audited July 14, 2026 via audit.emailmenow.com. 100% is the ideal.