Instagram Password Reset Attacks Surge After 17.5M Account Leak
A massive Instagram data leak has fueled a wave of password reset attacks, but enabling two-factor authentication can stop hackers in their tracks.
A new wave of Instagram security alerts is hitting users worldwide after a massive alleged data leak exposed information linked to 17.5 million Instagram accounts, triggering a spike in password reset attacks on the platform.
Cybersecurity journalist Davey Winder revealed on January 10 that threat actors posted the database on the hacking forum BreachForums just hours before thousands of Instagram users began receiving unexpected “Reset your password” emails from the platform.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
The timing suggests a coordinated attempt to exploit leaked account data and trick users into handing over access.
How the Instagram Password Reset Attack Works
Unlike traditional phishing scams, these messages are not fake. They are legitimate password reset emails sent by Instagram, which makes them far more dangerous.
Here is the trick:
“Hackers submit password reset requests for your account using your leaked email or username. Instagram then sends you a real security email. Attackers hope panic will make you click the “Reset Password” button without thinking.”
The email even warns users:
“If you ignore this message, your password will not be changed. If you didn’t request a password reset, let us know.”
But attackers rely on fear. Seeing a sudden security alert makes people act fast instead of carefully reading the message.
Why is This Attack Happening Now?
The attack wave is believed to be directly connected to the BreachForums leak of 17.5 million Instagram records, which went public just before the password reset emails began flooding inboxes. With that data, criminals can mass-target users at scale.
The One Thing That Can Stop the Attack
Even if you accidentally click the reset button, hackers still need one more thing to break in.
That safeguard is two-factor authentication (2FA). Instagram confirmed that:
“Two-factor authentication will help you protect your account so no one has access to it, even if someone knows your password.”
When 2FA is active, any login attempt from a new device requires a one-time code sent to your phone or authenticator app. Without it, the attacker is locked out.
Instagram has already enabled 2FA by default for creator accounts, but regular users must manually verify that it is still turned on.
What Instagram Users Should Do Right Now
To stay safe, every Instagram user should immediately:
- Open Instagram settings
- Go to Security → Two-Factor Authentication
- Make sure it is enabled
- Use an authenticator app or SMS as backup
If you received a password reset email you did not request, do nothing. Ignoring it keeps your password unchanged.
If you think someone already accessed your account, Instagram advises using its account recovery system to lock attackers out and regain control.
What Instagram Says:
Instagram has acknowledged that password reset emails do not automatically mean your account was hacked. In some cases, users simply mistype their login details. However, the timing of the 17.5 million account leak makes this surge far more concerning.
Source: Instagram Data Breach News on Forbes
