Your Instagram password reset email might not be a phishing scam—it could be the first sign that your contact details are already in the hands of cybercriminals.
A massive scraping operation has exposed personal information from 17.5 million Instagram accounts, with the dataset now circulating freely on BreachForums. The leak, published January 7 by a threat actor called "Solonik," includes full names, email addresses, phone numbers, and location data harvested through what appears to be an unprotected API endpoint in late 2024.
Unlike typical credential dumps, this breach doesn't include passwords. But that hasn't stopped attackers from weaponising the data. Users across the platform are reporting waves of legitimate password reset notifications—a tactic that exploits Instagram's own security features to create chaos and opportunity for account takeovers.
Malwarebytes, which discovered the leak during routine dark web monitoring, warns that the real danger lies in what comes next. "Attackers are likely to exploit this information in impersonation attacks, phishing campaigns, and credential harvesting attempts," the security firm stated in alerts sent to affected users.
The combination of verified emails and phone numbers creates a perfect storm for SIM-swapping attacks, where criminals hijack your phone number to intercept two-factor authentication codes. When someone claiming to be Instagram support already knows your email, phone number, and location, distinguishing legitimate communication from social engineering becomes nearly impossible.
Meta has remained silent on the incident. As of January 10, the company has issued no public statement, despite mounting evidence and user reports flooding social media platforms.
Security researchers emphasise this wasn't a server breach but rather systematic scraping—automated harvesting through public-facing interfaces. The scale suggests Instagram's rate-limiting protections failed to detect millions of queries extracting user data.
What you need to do now: Enable two-factor authentication using an authenticator app, not SMS. Instagram turned on 2FA by default for creator accounts, but standard users should verify their settings immediately. If you receive unexpected password reset emails, don't click—manually navigate to Instagram's security settings instead. The attackers are counting on panic; your best defence is pausing before you act.