If your inbox is suddenly filling up with Instagram password reset emails you never asked for, it may be a sign someone is trying to access your account. A new report from cybersecurity firm Malwarebytes has flagged a massive data breach affecting approximately 17.5 million users, with the leaked data including sensitive personal information.
The exposure, which reportedly includes physical addresses, email addresses, and phone numbers, has put millions at risk of account takeovers and targeted scams. The data is now allegedly for sale on the dark web.
Sensitive Data for Sale on Dark Web
Malwarebytes reportedly discovered the breach during a routine dark web scan. The security firm linked the massive exposure to a 'potential incident related to an Instagram API exposure from 2024.'
The leaked information is said to include sensitive details such as email addresses, phone numbers, and physical addresses, stripping away the anonymity many users rely on. The exposure of physical addresses is particularly unsettling, as it turns an online problem into a real-world safety concern.
@noahglenncarter IG just had a massive security breach affecting over 17,000,000 accounts #ig #securitybreach #foryou
♬ original sound - NoahGlennCarter
Meta, Instagram's parent company, has not yet issued an official statement on this specific incident.
Malwarebytes warned that the 'data is available for sale on the dark web and can be abused by cybercriminals.' When data hits the dark web, it enters a marketplace where scammers purchase bulk lists of personal information to launch targeted attacks. With phone numbers and emails, criminals can execute sophisticated phishing campaigns or attempt SIM swapping, where they use your phone number to intercept two-factor authentication codes.
Why Your Private Details Are Now for Sale on the Dark Web
This is no longer just a case of data 'getting out'. Malwarebytes warned that the 'data is available for sale on the dark web and can be abused by cybercriminals.'
When data hits the dark web, it enters a marketplace where scammers and hackers purchase bulk lists of personal information to launch targeted attacks. With phone numbers and emails in hand, criminals can execute sophisticated phishing campaigns, pretending to be bank officials or support agents to trick you into handing over financial details.
Furthermore, the availability of such data fuels the growing crime of SIM swapping, where hackers use your phone number to intercept two-factor authentication codes, effectively bypassing standard security measures.
How to Secure Your Instagram Account
The most immediate symptom of this breach for many has been a barrage of unsolicited password reset emails from Instagram. This suggests that automated bots or malicious actors are likely testing the validity of the leaked emails to identify accounts that can be compromised.
Malwarebytes stated this could lead to 'more serious attacks, like phishing attempts or account takeovers.'
Security experts strongly advise taking proactive steps immediately. It is always a 'good idea to turn on two-factor authentication and change your password.' For the safest option, experts recommend using an authenticator app instead of SMS for two-factor authentication, as phone numbers themselves can be exploited.
It is also recommended to check which devices are signed into your Instagram account via Meta's Accounts Centre and to log out of any unrecognised sessions.
