The Enemy Inside: What the Meta Breach Tells Us About the Threat No Firewall Can Stop
A Meta engineer built a script to bypass internal detection systems and download 30,000 private Facebook photos. This week we unpack what the case reveals about the insider threat, and why it's getting worse.
👋 Welcome to Unlocked
Every security product Meta sells to the world is built on a promise: your data is protected.
They have encryption, access controls, zero trust architectures, behavioral monitoring — the whole glossy security brochure. Then, one of their own engineers wrote a custom script specifically designed to circumvent every one of those systems — and quietly downloaded 30,000 private photos from Facebook users' accounts.
The Metropolitan Police's cybercrime unit is now investigating. The FBI made the referral. The engineer, a London-based man in his thirties, was arrested in November 2025 and remains on police bail. Meta says it discovered the breach over a year ago, fired him, notified affected users, and upgraded its security systems.
What Meta can't tell you is how to stop the next one, because the hard truth of the insider threat is that no perimeter defense, however sophisticated, was built to stop a trusted employee with legitimate access who decides to use it wrongly.
This week we dig into what the Meta case reveals — and why the insider threat problem is significantly larger, more expensive, and more structurally under-addressed than most security programs are built to handle.
🔑 What Actually Happened at Meta
The case reads like a security team's worst nightmare — not because it was technically sophisticated, but because it was so methodical.
According to court documents reviewed by The Guardian, the engineer didn't just browse around. He built a purpose-built software program designed specifically to evade Meta's internal detection systems. The script allowed him to access and download approximately 30,000 private images from Facebook users' personal accounts — photos that were not publicly visible and were set to private by the users themselves.
Meta says it discovered the improper access over a year ago. That puts the initial discovery in early 2025 at the latest — meaning the breach was live for an unknown period before that. The engineer was terminated, affected users were notified, and the case was referred to US law enforcement, who passed it to Scotland Yard. He was arrested in November 2025. The UK Information Commissioner's Office has confirmed it is aware of the incident — and under UK GDPR, Meta could face significant fines if its technical and organizational measures are found to have been insufficient.
The detail that should concern every CISO reading this isn't the 30,000 photos. It's the script. This wasn't opportunistic browsing. It was a deliberate, engineered effort to defeat detection — designed by someone who understood exactly how Meta's monitoring systems worked, because he worked there. The insider didn't just have access. He had knowledge of the controls, and he used it.
📉 The Numbers
- 30,000 private Facebook photos accessed by a single insider — using a script designed to evade detection
- $19.5M average annual cost of insider risk per organization in 2026 — up 123% since 2018
- $400M estimated cost to Coinbase from a separate insider-enabled breach disclosed earlier this year
- 13% of enterprise employees have sold their corporate credentials — or know someone who has (Cifas, 2026)
- 43% of C-suite executives say selling company login details is "justifiable" (Cifas, 2026)
- 75% of insider incidents are non-malicious — negligence and credential misuse rather than deliberate sabotage
- 25% are deliberate — data theft, fraud, or sabotage by employees who knowingly cross the line
- 67 days average time to contain an insider incident — down from 86 days in 2023, but still nearly ten weeks
- 90% of security teams say insider threats are as difficult or harder to detect than external attacks
- 82:1 ratio of machine and AI identities to human employees — each one a potential insider risk vector
🔍 Three Reasons the Insider Threat Is Getting Worse
The Meta breach isn't an isolated incident. It's part of a pattern that the data shows is accelerating.
1. The "trusted insider" model is functionally broken.
The traditional insider threat model assumes that most employees are trustworthy and the risk is confined to a small number of disgruntled individuals. The 2026 data has shattered that assumption on two fronts.
First, the definition of "insider" has expanded well beyond the employee. In 2026, an insider is any identity — a compromised employee, a fraudulent hire, a bribed contractor, or an infostealer victim — that possesses legitimate credentials to access corporate systems. The threat is defined by the identity's permissions, not the person's intent. Coinbase learned this the hard way when cybercriminals bribed overseas support contractors to systematically extract customer data — an operation that ran long enough to cost an estimated $400 million to contain. No zero-day. No sophisticated malware. Just money, motive, and people with the wrong kind of access.
Second, and more unsettling: a Cifas survey of 2,000 enterprise employees found that 13% had sold their corporate credentials or knew someone who had. One in eight. And when researchers broke the data down by seniority, it got worse: 32% of managers, 36% of directors, and 43% of C-suite executives said selling login details was "justifiable." The people with the most access are the most comfortable with the idea of monetizing it. That is not a fringe risk. That is a structural governance problem.
2. Detection is systematically failing.
Flashpoint observed 91,321 instances of insider recruiting, advertising, and insider-related threat actor discussions in 2025 alone. Ransomware groups and initial access brokers are actively recruiting insiders on Telegram, Signal, and dark web forums — offering cash payments for credentials, screenshots of internal systems, and access to specific platforms. The recruitment is targeted, professional, and increasingly normalized.
Despite this, most organizations' detection capabilities haven't kept pace. 90% of security teams say insider threats are as difficult or harder to detect than external attacks. The reason is structural: insider threat detection tools were built to identify anomalous behavior. But the Meta engineer's script was designed to look normal. Coinbase's contractors accessed exactly the systems they were supposed to access — they just exfiltrated the data along the way. Low-noise, legitimate-looking techniques defeat behavioral detection precisely because they're designed to.
The DTEX 2026 Insider Risk Report quantifies the cost of this detection gap: organizations with formal insider risk programs avoid an average of $8.2M in annual breach costs. Yet most organizations still don't have one. Privileged access management alone delivers $6.1M in annual cost reduction when deployed properly. The ROI is documented and repeatable. The adoption isn't there.
3. The blast radius has never been larger.
The Meta engineer had access to 30,000 users' private photos because his role gave him access to systems with that data. The question most organizations can't answer is: how much damage could your highest-access employee do in a single session — and do your controls limit that blast radius, or just monitor it?
The machine-to-human identity ratio has reached 82:1 in enterprise environments. Service accounts, AI agents, API keys, OAuth tokens, automated workflows — each one carries permissions that, if abused or compromised, creates an insider-equivalent risk.
While investigators probe the insider engineer, a separate vulnerability in Meta's AI support chatbot was exploited to hijack high-profile Instagram accounts — including a White House handle and a U.S. Space Force account. Attackers didn't need a password. They asked the AI to bind a new email address, and it did. The bot had direct write access to account-recovery APIs with no mechanism to verify who it was actually talking to. That's not a software bug. That's an AI agent with permissions that nobody governed.
🛡️ What This Means for Your Access Layer
The insider threat is fundamentally an access governance problem. The controls that matter aren't the ones that detect anomalous behavior after the fact — they're the ones that limit what any single identity can do in the first place.
Shrink the blast radius before you improve detection. The Meta engineer could access 30,000 private photos because his permissions allowed it. The first question isn't "how do we detect the next one?" — it's "how many records could any single employee access in a single session, and is that number defensible?" Least-privilege access, just-in-time provisioning, and data access controls that limit bulk export without secondary approval directly reduce the damage ceiling on any insider event, malicious or negligent.
Treat privileged access as a board-level risk category. The average organization spent $19.5M on insider risk in 2025 — and organizations with formal PAM programs reduce that exposure by $6.1M annually. That's a documented, auditable return on investment that belongs in a board-level risk conversation. If your privileged access governance program doesn't have a line item in the annual risk report, it's underweighted relative to its actual financial exposure.
Extend insider risk programs to non-human identities. AI agents, service accounts, and OAuth integrations now outnumber human employees 82 to 1. Most insider risk programs still only cover human users. That's a blind spot that attackers — and, as the DTEX report documents, AI agents themselves — are actively exploiting. Every non-human identity in your environment should carry the same access governance requirements as a privileged human user: least privilege, regular access reviews, and session monitoring. Hardware-bound credentials that tie authentication to a physical device can't be scripted around the way Meta's internal detection systems were.
Build a formal insider risk program — or quantify the cost of not having one. Organizations with formal insider risk programs avoid seven incidents per year on average. Without one, the average annual cost is $19.5M — a figure that has risen 123% since 2018 and shows no sign of slowing. The question for leadership isn't whether the insider threat is real. It's whether the cost of managing it is higher or lower than the cost of ignoring it. The data answers that question clearly. We've also covered the third-party dimension of this risk in depth — and the pattern from Meta, Coinbase, and Instructure all points the same direction.
🔑 The Bottom Line
Meta has better security than most organizations on the planet. Encryption, Zero Trust, behavioral monitoring, a dedicated security team that found this breach and acted on it. And a trusted engineer still bypassed all of it with a script he wrote himself.
That's not a failure of technology. It's a demonstration of its limits.
The insider threat will never be eliminated. But it can be governed — through access controls that reduce blast radius, privileged access programs that create accountability, and identity architectures that treat every identity, human and machine, as a potential risk vector rather than a trusted entity.
The security perimeter was never the last line of defense. The access layer always was.
💡 Unlocked Tip of the Week
Ask your team this question:
"If our highest-privileged user decided tomorrow to exfiltrate as much sensitive data as possible before leaving, what could they take — and how long before we'd know?"
If the honest answer involves days of detection lag, bulk export capabilities with no secondary approval, or non-human identities with permissions nobody has reviewed recently — that's the blast radius problem. The Meta engineer had months. Coinbase's contractors had a year. Detection is important. Limiting what can be taken before detection occurs is more important.
🔥 Final Takeaway
The insider threat isn't the exotic edge case, it's the one your perimeter was never designed to stop.
Meta, Coinbase, FinWise Bank — each one a well-resourced, sophisticated organization and each one breached from the inside. The common thread isn't weak technology, it's the fundamental challenge of governing trusted access in environments where the perimeter and the insider are, by design, the same person.
The organizations that manage this risk well aren't the ones with the most monitoring, they're the ones that built access controls that assume the insider is a threat vector — and limited the blast radius accordingly, before the breach, not after.
Stay ready. Stay resilient.
Until next time,
