Instagram Data Leak & Password Reset Attacks​

Updated: January 10, 2026 

Hackers have stolen personal information linked to approximately 17.5 million Instagram accounts. The exposed data includes usernames, email addresses, phone numbers, and in some cases, home addresses. This data is now being shared online, where cybercriminals can easily access and exploit it. 

Since the data began circulating, many Instagram users have reported a surge in unexpected password reset emails and suspicious account activity. 

What Happened 

Cybersecurity researchers identified a large dataset tied to Instagram accounts that was posted on a cybercriminal forum. Shortly after its release, attackers began using the exposed information to target users directly. 

Key details 

• A threat actor published 17.5 million Instagram user records online 

• The dataset contains personal contact and profile information 

• Attackers are using this information to trigger password reset attempts and launch phishing campaigns 

• Meta (Instagram’s parent company) has not released a detailed public incident report as of this update 

How Attackers Are Exploiting This 

Criminals are using the leaked data to run targeted social engineering attacks, including: 

• Sending fake “Your password has been reset” or “Suspicious login detected” emails 

• Using real names, emails, or phone numbers to make phishing messages appear legitimate 

• Directing users to fake Instagram login pages designed to steal credentials 

In some cases, attackers may also trigger real password reset emails from Instagram, making it harder for users to distinguish legitimate alerts from scams. 

What You Should Do Now 

If you have an Instagram account, take these steps immediately: 

1. Enable Two-Factor Authentication

Turn on two-factor authentication (2FA). This adds a second layer of protection and prevents attackers from accessing your account even if they obtain your password. Use an authenticator app when possible—avoid SMS-based codes, which can be intercepted. 

2. Change Your Password Safely

Do not click links in emails or text messages. Open the Instagram app or type instagram.com directly into your browser, then set a new, strong password that you do not reuse on other accounts. 

3. Review Account Access

Confirm that the email address and phone number on your account are correct. Review recent login activity and remove any devices or sessions you do not recognize. 

4. Watch for Scam Messages

Expect an increase in fake emails, texts, or messages pretending to be from Instagram. Remember: Instagram will never ask for your password through email or direct messages. 

5. Report Suspicious Activity

Use Instagram’s in-app tools to report phishing messages or unusual account behavior. 

Need help with any of these steps? Our Personal Cyber Advisor can walk you through the process. Get personalized guidance → 

Bottom Line 

The risk to Instagram users is real and ongoing. Be cautious of unexpected messages, avoid clicking links in emails or texts, and manage your account directly through the Instagram app or by typing instagram.com into your browser. 

Enabling two-factor authentication is the single most effective step you can take right now to protect your account.