Instagram has fixed a vulnerability that allowed third parties to trigger mass password reset emails to users, while a large dataset allegedly containing records for about 17.5 million Instagram accounts is being shared for free on hacker forums and discussed by the cybersecurity community.
Instagram password reset vulnerability and abuse of recovery emails
According to reporting by BleepingComputer, Meta confirmed it recently remediated an issue that enabled attackers to automatically request legitimate password reset emails for Instagram accounts at scale. This did not involve breaking into accounts directly, but rather abusing the standard password recovery workflow.
Meta states that the Instagram infrastructure itself was not breached. Passwords were not reset automatically, and an account could only be changed if the legitimate user followed the link in the email and completed the process. Unsolicited password reset messages can therefore be safely ignored.
However, such a flaw is far from harmless. Mass sending of genuine reset emails creates ideal conditions for social engineering and phishing. Real emails from Instagram can be used as a “noise layer” to hide fake messages, confuse users, trigger panic, and push them to click fraudulent links or disclose credentials.
Data dump of 17.5 million Instagram accounts: what is known
While the password reset issue was being addressed, Malwarebytes researchers reported the appearance of a free data dump advertising about 17.5 million Instagram accounts. The database is being distributed on multiple hacker forums and is promoted as the result of an Instagram API data leak in 2024.
Contents and structure of the leaked Instagram database
Analysis suggests the dataset includes information on approximately 17,017,213 profiles. Depending on the record, it may contain the following fields:
— phone numbers;
— usernames;
— real names;
— physical addresses;
— email addresses;
— unique Instagram IDs.
The structure is incomplete: for some accounts, only the Instagram ID and username are present, with no sensitive contact data. This unevenness is typical of large datasets assembled over time from multiple sources, rather than from a single, clean breach.
The threat actor claims the data was collected in 2024 via an Instagram API vulnerability. Several security experts, however, suspect the material could actually date back to around 2022 and stem from large-scale scraping of public or semi-public information, possibly mixed with older leaks going back to API exposures reported as early as 2017.
Meta, for its part, says it is not aware of any Instagram API compromises in either 2022 or 2024. As of now, no publicly available technical evidence definitively proves whether this dataset comes from a fresh API breach or from prolonged scraping and aggregation.
Scraping vs direct breach: why the distinction matters
From a technical standpoint, it is important to distinguish a classic data breach from mass scraping:
In a breach, attackers penetrate internal systems and obtain non-public data such as password hashes, access tokens, or private profile fields. This significantly increases the risk of account takeover, credential stuffing, and targeted attacks.
Scraping usually relies on public or semi-open information, for example, details visible on open profiles or via poorly restricted APIs. While it may not break perimeter security, the resulting databases can still be extremely valuable to criminals, fueling spam, targeted phishing, extortion attempts, SIM-swap setups, and identity-based fraud.
In the case of this Instagram dump, the field composition (name, username, email, phone, address) closely matches what is typically seen in scraping and long-term aggregation operations. Nevertheless, until independent technical analysis is complete, the exact origin of the data remains uncertain.
Practical security measures for Instagram users
Even if passwords were not exposed, combinations such as email + phone + name + address substantially increase the effectiveness of phishing and social engineering. Attackers can craft convincing messages that appear to come from Instagram, delivery companies, payment services, or banks.
1. Ignore password reset emails you did not request.
Do not click links in unsolicited reset messages and never enter your credentials after following such links. If in doubt, open Instagram directly via the official app or website and check your account there.
2. Enable two-factor authentication (2FA).
Use an authenticator app rather than SMS where possible to reduce the risk of SIM-swap attacks and interception of one-time codes. 2FA significantly raises the bar for account takeover, even if a password is compromised elsewhere.
3. Use unique, strong passwords for every service.
A reputable password manager can generate and store long, complex passwords, preventing the reuse of the same credentials across multiple platforms. This is critical, as large-scale credential reuse remains a major vector in account hijacking.
4. Review what data you make public on Instagram.
Regularly revisit your privacy settings. Limit the visibility of your phone number and email address, especially if they are used for account recovery. Reducing exposed personal data lowers the quality of information available to attackers.
5. Treat highly personalized messages with skepticism.
The presence of your correct name, username, or phone number in an email or direct message does not guarantee legitimacy. Check the sender’s domain carefully, avoid shortened or suspicious links, and verify any urgent requests by logging in directly or contacting official support.
6. Monitor your account activity and connected sessions.
Periodically review active logins and connected devices in your Instagram security settings. Revoke access you do not recognize and change your password immediately if anything looks suspicious.
The combination of a password reset abuse issue and the circulation of a 17.5 million–record dataset demonstrates that even without a catastrophic “hack” of Instagram’s core systems, user data can still be weaponized at scale. Strengthening personal cyber hygiene—enabling 2FA, using unique passwords, minimizing public data, and critically evaluating all requests for credentials—remains one of the most effective defenses against evolving threats.
Instagram and its parent company Meta are designated as extremist organizations and are banned on the territory of the Russian Federation.
