Instagram Denies Breach Amid Password-Reset Spam Surge and Data Leak
Instagram confirmed a wave of unauthorized password-reset emails sent to users on Thursday and Friday, attributing the incident to attackers exploiting its password-reset feature rather than a system breach. The platform, owned by Meta, stated that no internal systems were compromised and urged users to disregard the emails.
Cybersecurity firm Malwarebytes linked the spam campaign to criminals using stolen email addresses from a leaked dataset of 17.5 million Instagram accounts, which included usernames, physical addresses, phone numbers, and email addresses. Instagram later restricted the abused functionality to prevent further misuse.
The timing of the attack coincided with the leak of a separate Instagram dataset on a cybercrime forum by a threat actor known as "Solonik," who claimed it contained "17M Global Users – 2024 Leak." However, cybersecurity firm Kela determined the data was identical to a 2022 leak by "Calssara" and later reposted in 2023, suggesting the dataset was rebranded as new. While the data verified by breach notification service Have I Been Pwned includes public account details, email addresses, and some geolocation data, it does not contain passwords.
Security researchers speculated that the password-reset attack may have leveraged email addresses from the 2022-2023 leaks, though Meta denied awareness of any recent scraping incidents. A separate November 2024 listing by "YoursData" claimed to offer 489 million scraped Instagram records, including hidden details, though Meta also denied knowledge of this activity.
Despite no evidence of password exposure, experts warned that the leaked data heightens phishing and social engineering risks. Instagram users were advised to enable multifactor authentication (MFA) to mitigate potential account takeovers.
Source: https://www.bankinfosecurity.com/instagram-confirms-password-reset-spam-flood-denies-breach-a-30492
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
"id": "INS1768239777",
"linkid": "instagram",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million users',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'Instagram (Meta Platforms)',
'size': 'Large',
'type': 'Social Media Platform'}],
'attack_vector': "Abuse of Instagram's password-reset feature, API scraping",
'customer_advisories': 'Public statement on X (Twitter) confirming no breach '
'and advising users to ignore spam emails.',
'data_breach': {'data_exfiltration': 'Yes (scraped data leaked to cybercrime '
'forums)',
'number_of_records_exposed': '17.5 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII)',
'type_of_data_compromised': ['Usernames',
'Email addresses',
'Phone numbers',
'Physical addresses',
'Display names',
'Account IDs',
'Geolocation data']},
'date_detected': '2024-11',
'date_publicly_disclosed': '2024-11',
'date_resolved': '2024-11',
'description': 'Instagram confirmed a wave of password-reset emails sent to '
'users due to malicious activity, denying a breach of its '
'systems. The incident followed the leak of scraped Instagram '
'user data by a threat actor. Cybersecurity experts noted the '
'coincidental timing but confirmed no evidence of a direct '
'breach.',
'impact': {'brand_reputation_impact': 'Moderate (user confusion, trust '
'erosion)',
'data_compromised': '17.5 million Instagram accounts (usernames, '
'physical addresses, phone numbers, email '
'addresses, geolocation data, display names, '
'account IDs)',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Spam fatigue, potential phishing risks',
'systems_affected': 'Instagram password-reset system'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (scraped data sold by '
'threat actors)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Abuse of security functionality (e.g., password resets) '
'can lead to user fatigue and phishing risks. Scraped '
'data, even if stale, poses long-term risks for social '
'engineering. Multifactor authentication (MFA) is critical '
'to mitigate credential-based attacks.',
'motivation': 'Phishing, social engineering, data monetization',
'post_incident_analysis': {'corrective_actions': ['Fixed password-reset '
'feature to prevent abuse',
'Locked down spammed '
'functionality'],
'root_causes': ["Abuse of Instagram's "
'password-reset feature',
'Potential third-party API '
'scraping',
'Stale data rebranded and leaked '
'as new']},
'recommendations': ['Enable multifactor authentication (MFA) for all '
'Instagram accounts.',
'Monitor for phishing and social engineering scams using '
'leaked data.',
"Review third-party integrations with Instagram's API for "
'potential vulnerabilities.',
'Educate users on recognizing and ignoring suspicious '
'password-reset emails.'],
'references': [{'date_accessed': '2024-11', 'source': 'Malwarebytes'},
{'date_accessed': '2024-11',
'source': 'Instagram (Meta Platforms)'},
{'date_accessed': '2024-11', 'source': 'Kela'},
{'date_accessed': '2024-11', 'source': 'Have I Been Pwned'},
{'date_accessed': '2024-11', 'source': 'DarkEye'}],
'response': {'communication_strategy': 'Public statement on X (Twitter), user '
'advisories',
'containment_measures': 'Locked down spammed password-reset '
'functionality',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Fixed password-reset feature abuse'},
'stakeholder_advisories': 'Users advised to ignore password-reset emails and '
'enable MFA.',
'threat_actor': ['Solonik', 'YoursData', 'Calssara', 'vanz'],
'title': 'Instagram Password-Reset Spam Flood',
'type': 'Spam Attack, Data Scraping',
'vulnerability_exploited': 'Password-reset functionality abuse, potential '
'third-party API integration'}