Instagram Users Targeted in Suspected Data Leak and Password Reset Scam
Last week, Instagram users reported receiving unsolicited password reset emails from the platform, prompting concerns over a potential security breach. The messages, sent to an unspecified number of accounts, stated that a password reset had been requested and urged recipients to verify the activity if they hadn’t initiated it.
Around the same time, a cybercriminal known as “Solonik” listed a dataset allegedly containing information on 17 million Instagram users for sale on a Dark Web forum. The leaked data includes usernames, full names, user IDs, email addresses, phone numbers, countries, and partial locations but no passwords.
Instagram denied any direct connection between the password reset emails and the leaked dataset, attributing the former to a now-fixed issue that allowed an external party to trigger reset requests for some users. Cybersecurity researchers, including Shahak Shalev of Malwarebytes, suggested the leaked data may be a compilation of older breaches, possibly circulating in private groups before its public release. Another theory is that a separate vulnerability or credential-stuffing attack may have occurred independently.
While the exact relationship between the two incidents remains unclear, security experts warn that scammers are likely to exploit the confusion by sending fake phishing emails to trick users into revealing login credentials. Users are advised to reset passwords directly through the Instagram app rather than clicking email links and to monitor linked accounts (such as Facebook and WhatsApp) for suspicious activity.
The incident highlights ongoing risks of large-scale data exposure and the potential for cybercriminals to weaponize leaked information, even when passwords are not directly compromised.
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
"id": "INS1768273687",
"linkid": "instagram",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17 million users',
'industry': 'Technology / Social Media',
'location': 'Global',
'name': 'Instagram',
'size': 'Large (Meta subsidiary)',
'type': 'Social Media Platform'}],
'attack_vector': 'Spraying for accounts / Possible vulnerability exploitation',
'customer_advisories': 'Ignore unsolicited password reset emails; reset '
'passwords via the app; enable 2FA; check for '
'suspicious logins.',
'data_breach': {'data_exfiltration': 'Yes (sold on Dark Web)',
'number_of_records_exposed': '17 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally Identifiable Information '
'(PII)',
'type_of_data_compromised': ['Usernames',
'Full names',
'User IDs',
'Email addresses',
'Phone numbers',
'Countries',
'Partial locations']},
'description': 'Instagram users received unsolicited password reset emails, '
'coinciding with a Dark Web sale of alleged Instagram user '
'data containing 17 million records. Instagram denied a '
'connection between the two events but acknowledged fixing an '
'issue allowing external parties to request password reset '
'emails.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': '17 million user records',
'identity_theft_risk': 'Yes',
'operational_impact': 'Potential phishing campaigns exploiting the '
'incident',
'systems_affected': ['Instagram platform']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (17 million records)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of monitoring for phishing attempts following '
'data leaks, verifying password reset requests via '
'official channels, and enabling 2FA.',
'motivation': ['Data Theft', 'Financial Gain (Data Sale)'],
'post_incident_analysis': {'corrective_actions': 'Fix for password reset '
'request issue; user '
'advisories for password '
'resets and 2FA.',
'root_causes': 'Possible vulnerability allowing '
'external password reset requests; '
'potential compilation of older '
'breaches.'},
'recommendations': ['Reset passwords directly via the Instagram app (not '
'email links).',
'Enable 2FA on Instagram and linked Meta accounts.',
'Check recent logins and active sessions on Instagram, '
'WhatsApp, and Facebook.',
'Use tools like Digital Footprint scan to check for data '
'exposure.',
'Be cautious of phishing emails exploiting the incident.'],
'references': [{'source': 'Malwarebytes'},
{'source': 'Instagram (Meta) statement on X (Twitter)'}],
'response': {'communication_strategy': 'Public statement on X (Twitter) '
'denying connection between events',
'containment_measures': 'Fixed issue allowing external password '
'reset requests',
'remediation_measures': 'Advised users to reset passwords via '
'the app and enable 2FA'},
'stakeholder_advisories': 'Users advised to reset passwords and enable 2FA; '
'businesses warned about potential phishing '
'campaigns.',
'threat_actor': 'Solonik (Dark Web handle)',
'title': 'Instagram Password Reset Requests and Data Leak',
'type': ['Phishing Attempt', 'Data Leak'],
'vulnerability_exploited': 'External party able to request password reset '
'emails'}