Instagram Password Reset Spam and Data Leak Claims
Instagram experienced a large-scale abuse of its password reset feature, resulting in a flood of password reset emails sent to users. The company confirmed that this activity was due to external parties exploiting the password reset mechanism using stolen email addresses, but emphasized that there was no breach of its internal systems. Instagram stated it has since fixed the issue and reassured users that their accounts remain secure, advising them to disregard the unsolicited password reset emails.
Simultaneously, cybersecurity firm Malwarebytes and other researchers reported that data from approximately 17.5 million Instagram accounts—including usernames, email addresses, phone numbers, and physical addresses—was leaked and distributed on hacking forums. While some sources suggest the data may have originated from previous API scraping incidents, Instagram and its parent company Meta deny any recent breach or API vulnerability, and the exact source and timing of the leaked data remain unconfirmed. The incident highlights the risks of feature abuse and the ongoing challenges of protecting user data from large-scale scraping and credential-based attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Instagram locks down abused reset function and denies breach
Instagram said it fixed the issue by locking down the abused password-reset functionality and stated there was no breach of its systems. Security researchers also said the timing of the spam flood and the recycled dataset appeared coincidental.
Criminals abuse Instagram password-reset feature to spam users
Users received a large wave of password-reset emails sent from Instagram's legitimate security email address after criminals abused the platform's password-reset function with stolen email addresses. Researchers found no evidence this activity resulted from a breach of Instagram systems or exposed passwords.
Actor 'Solonik' advertises recycled '17M Global Users' Instagram dataset
A cybercrime-forum actor using the name 'Solonik' advertised a purported '17M Global Users' Instagram dataset. Kela and HIBP assessed the dump was legitimate but old, containing public profile data and some contact details, with no passwords.
Older Instagram dataset reposted on BreachForums
The same older Instagram dataset was posted again on BreachForums in 2023, reinforcing later assessments that the 2026 leak claims were not based on a new breach. Analysts said the data appeared to be recycled rather than newly stolen.
Instagram data dump first shared from older scraped data
A dataset later marketed as affecting 17 million Instagram users was first shared in 2022, according to Kela's assessment. Researchers said it consisted largely of public Instagram profile data, with some email addresses and phone numbers, but no passwords.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Instagram Data Breach Exposes Personal Information of 17.5 Million Users
A significant data breach has exposed the personal information of approximately 17.5 million Instagram users, with details including usernames, email addresses, phone numbers, and physical addresses now reportedly available for sale on the dark web. The breach, identified by Malwarebytes during routine dark web monitoring, has led to a surge in password reset emails sent to affected users and raised concerns about the potential for phishing, account takeovers, and more severe real-world threats such as stalking and extortion. Security researchers note that the leaked data appears to be more comprehensive than previous incidents, with attackers possibly correlating Instagram user IDs with external data sources to link online identities to real-world addresses. The compromised database, described as a "doxxing kit," is being sold in batches on cybercrime forums, increasing the risk of targeted attacks against those affected. While Meta has not yet issued an official statement regarding the incident, security experts warn that the exposure of physical addresses alongside digital identifiers significantly elevates the privacy and safety risks for users. The breach underscores the importance of enabling two-factor authentication and monitoring for suspicious account activity, as the stolen data is actively circulating and may be used for a range of malicious purposes beyond typical credential abuse.
Mar 21, 2026
Meta AI Recovery Flaw Enabled Instagram Account Takeovers at Scale
Meta disclosed that attackers exploited a flaw in its AI-assisted Instagram account recovery system, known as **High Touch Support (HTS)**, to reset passwords for accounts they did not own. Reporting tied the abuse to earlier takeovers of high-profile and valuable accounts including the archived Obama White House profile, Jane Manchun Wong, Sephora, a senior U.S. Space Force official, and sought-after short handles such as `@hey` and `@jowo`, some of which were briefly defaced or advertised for resale on Telegram. Multiple reports said attackers used VPNs or residential proxies to appear near a victim’s usual location, then manipulated Meta’s support workflow to add an attacker-controlled email address or receive a reset link without compromising the victim’s inbox. Meta later said the vulnerable code path failed to verify that the submitted recovery email matched the email already associated with the target account, exposing **20,225** users between roughly April 17 and the end of May; successful takeovers were generally possible when victims had not enabled two-factor authentication. The company said it discovered the exploitation on May 31, disabled the HTS tool, invalidated reset links, forced affected accounts through security checkpoints and password resets, and plans to notify impacted users while reviewing similar recovery flows across its platforms. The incident drew broader scrutiny because an AI-driven support layer was allowed to perform privileged identity and recovery actions without deterministic verification, turning customer support into an account-takeover path.
Jun 18, 2026
LinkedIn Exposed Hundreds of Millions of Profiles and Millions of Passwords
LinkedIn faced multiple major security incidents involving both scraped profile data and compromised credentials. In one 2021 case, data from about **500 million** accounts was reported online, followed by a larger dataset allegedly covering roughly **700 million** profiles offered for sale on Raid Forums. Reports said the exposed information included public profile details such as names, job titles, locations, workplace email addresses, phone numbers, social links, dates of birth, and in some cases precise GPS data. LinkedIn said the 2021 incidents were not traditional intrusions but large-scale scraping of publicly accessible member information, potentially through abuse of its API, and maintained that no private member data was breached. Earlier, LinkedIn confirmed that a separate 2012 compromise exposed about **6 to 6.5 million** member passwords, prompting password invalidations, reset notices, and an FBI-linked investigation. Reporting said the leaked passwords were hashed but **not salted**, allowing many to be cracked more easily after being posted on a hacker site, and some decoded passwords were later published. The combined incidents raised persistent concerns that LinkedIn data could be weaponized for phishing, spam, identity theft, stalking, and account compromise, especially when profile information is paired with weakly protected credentials.
May 25, 2026