Instagram users worldwide received unexpected password reset emails this week following a 17.5 million-record data leak. The breach exposed sensitive user information including full names, email addresses, phone numbers, and partial location data.
Cybersecurity researchers at Malwarebytes first identified the leak, which appeared on BreachForums on January 7. A threat actor using the alias "Solonik" posted the dataset titled "INSTAGRAM.COM 17M GLOBAL USERS -- 2024 API LEAK." The information originated from an API vulnerability discovered in 2024.
Hours after the data dump, Instagram users across multiple countries reported a sharp spike in password reset notifications. Some users received a dozen or more emails within 48 hours. The emails appear legitimate, featuring Instagram's official branding and a prominent blue "Reset Password" button.
Security experts classify the incident as "scraping" rather than a direct server breach. Attackers harvested data through public-facing interfaces, bypassing standard security protections. The scale suggests failures in Instagram's rate-limiting or privacy safeguards, adding to the platform's growing challenges with content moderation and security. Instagram chief Adam Mosseri recently warned about AI-generated images evolving too fast for platforms to track, highlighting the broader technological pressures facing social media companies.
The exposed information enables sophisticated attacks including SIM-swapping, phishing campaigns, and social engineering. Criminals can use personal details to establish trust and trick victims into handing over login credentials or two-factor authentication codes.
Davey Winder, a Forbes cybersecurity contributor, confirmed he was among those targeted. "If you get this message from Instagram and were not expecting it, you have found yourself in the crosshairs of an ongoing account attack," Winder warned. He received twelve password reset emails in 48 hours.
Instagram's parent company Meta has not issued a formal statement addressing the specific 17.5 million-record data dump. Representatives did not immediately respond to requests for comment from multiple publications.
The platform automatically enables two-factor authentication for creator accounts but requires regular users to activate it manually. Security experts recommend using authenticator apps rather than SMS-based verification, which remains vulnerable to SIM-swapping attacks.
Users should ignore all unsolicited password reset emails regardless of their appearance. Legitimate Instagram emails only come from addresses ending in @mail.instagram.com. If concerned about account security, users should navigate directly to Instagram through their browser or app rather than clicking email links.
The leaked database will circulate in hacking communities indefinitely, providing ammunition for attacks months or years into the future. The 17.5 million affected users need to treat account security as an ongoing priority rather than a one-time fix.
Instagram offers a recovery process at instagram.com/hacked for users who believe their accounts have been compromised. The company also provides detailed instructions for managing two-factor authentication through its Help Center.
