What Happened

Threat actors recently exploited a bug in Instagram's system to trigger mass password reset requests for targeted accounts. This resulted in many users receiving legitimate password reset emails from Instagram — even though they had never requested one.

In a separate but related incident, approximately 17 million Instagram user records were posted on an underground breach forum. Importantly, the dataset contained only publicly available profile details such as usernames, display names, and profile IDs — no passwords or highly sensitive information were included.

Meta confirmed this was not a new breach but rather a repackaged compilation of older, previously scraped public information. BreachWatcher will notify subscribers if their email address appears in the leaked dataset.

If you received an unsolicited Instagram password reset email: Do not click any links inside it. Open the Instagram app directly and review your account security settings from there.

Why This Still Matters

Even though no passwords were directly exposed in the scraped dataset, this kind of data resurfaces in targeted phishing campaigns. Attackers can use your username, display name, and profile ID to craft convincing impersonation attempts — messages that look like they are coming from Instagram or Meta.

The mass password reset bug is also a concern: being able to trigger legitimate reset emails creates an opportunity for attackers to confuse users into clicking malicious links hidden in follow-up phishing messages.

What You Should Do