Instagram Users Warned After Password Reset Email Wave and Data Breach Claims

Instagram users across Ireland have been advised to check their account security following a wave of unsolicited password reset emails and claims of a major data breach affecting 17 million accounts worldwide.

Last week, Instagram users began receiving unexpected emails stating: "Hi {username}, We got a request to reset your Instagram password. If you ignore this message, your password will not be changed. If you didn't request a password reset, let us know."

Around the same time, a cybercriminal using the handle "Solonik" offered alleged data containing information about 17 million Instagram users for sale on a Dark Web forum.

The compromised records reportedly include usernames, full names, user IDs, email addresses, phone numbers, countries and partial locations. Importantly, no passwords are included in the leaked data.

Despite the suspicious timing, Instagram denied over the weekend that the two events are related. The platform stated on X that they had fixed an issue which allowed an external party to request password reset emails for "some people".

Shahak Shalev, global head of scam and AI research at Malwarebytes, explained:

"There are some indications that the Instagram data dump includes data from other, older, alleged Instagram breaches, and is a sort of compilation."

Shalev's team noted that the earliest password reset requests came days before the data appeared on the dark web, suggesting "the data may have been circulating in more private groups before being made public."

However, Shalev said another possibility is that "another vulnerability/data leak was happening as some bad actor tried spraying for [Instagram] accounts. Instagram's announcement seems to reference that spraying. Besides the suspicious timing, there's no clear connection between the two at this time."

Regardless of whether the incidents are connected, security experts warn that scammers will attempt to exploit the situation by sending fake emails.

Shalev added:

"We felt it was important to alert people about the data availability so that everyone could reset their passwords, directly from the app, and be on alert for other phishing communications."

Safety advice for Instagram users:

Malwarebytes believes that if you have enabled two-factor authentication (2FA) on your Instagram account, it is safe to ignore the password reset emails, as proposed by Meta.

However, if you wish to change your password as a precaution, do so directly in the Instagram app rather than clicking any links in emails. This avoids the risk of falling victim to phishing scams.

Since some users may have reused or linked their Instagram credentials to their Facebook or WhatsApp accounts, users should check recent logins and active sessions on all Meta platforms, logging out from any unrecognised devices or locations.

Malwarebytes offers a free Digital Footprint scan for users who want to check whether their data was included in this or any other breach.

The incident serves as a reminder to enable two-factor authentication on all social media accounts and to be vigilant about unsolicited emails requesting password changes.