A data breach affecting 17.5 million Instagram accounts surfaced on a hacking forum this week. Hours later, users started receiving a flood of password reset emails.
The twist? The emails are real.
What's happening
A threat actor known as "Solonik" posted a database containing information on 17.5 million Instagram accounts to BreachForums on January 9th—data reportedly obtained through an API scraping attack in 2024. Within hours, users across the platform began receiving legitimate password reset notifications from Instagram.
This isn't a phishing campaign. Attackers are using the leaked email addresses to trigger actual password reset requests through Instagram's systems. The emails come from Instagram's real servers, pass all authentication checks, and contain working reset links.
The attack relies on panic. You see "Reset your password" from Instagram, assume something is wrong, and click without thinking. If you reset your password while the attacker is monitoring for changes, they may attempt account takeover in the window before you secure it — or use social engineering for the next phase of their attack. Your credentials could end up on the dark web within hours.
Why this attack is clever
Traditional phishing is getting harder to pull off. Email providers are better at filtering fake messages, and users are more suspicious of links that don't look right.
This attack sidesteps all of that. The email is genuine. The link is genuine. The only thing that's illegitimate is the request itself — someone else triggered it using your email address from the leaked database.
The message even tells you what to do if you didn't request a reset: "If you ignore this message, your password will not be changed." But attackers are betting you won't read that far. They're counting on the immediate anxiety of seeing a password reset notification to override your judgment.
The one setting that stops this attack
Two-factor authentication.
Instagram confirmed they've enabled 2FA by default for creator accounts, but they're urging all users to verify it's turned on: "Check to make sure that you didn't turn it off."
Here's why 2FA defeats this attack completely:
Even if an attacker successfully resets your password, they still can't log in. Instagram will require a verification code sent to your phone or generated by your authenticator app. Without physical access to your device, the attacker is locked out.
The password becomes just the first door. 2FA is the second door — and attackers can't open it remotely.
How to check your Instagram 2FA settings
- Open Instagram and go to your profile
- Tap the menu (three lines) → Settings and privacy
- Select Accounts Center → Password and security
- Tap Two-factor authentication
- Choose your account and enable an authentication method
Instagram offers three options:
| Method | Security level | Notes |
|---|---|---|
| Authenticator app | Highest | Use Google Authenticator, Authy, or 1Password for TOTP codes |
| SMS codes | Medium | Better than nothing, but vulnerable to SIM swapping attacks |
| Medium | Codes sent via WhatsApp message |
If you received an unexpected password reset email and you're worried your account may be compromised, Instagram provides an account recovery tool to help you regain access.
What to do if you got a reset email
Don't panic. Don't click.
If you didn't request a password reset:
- Ignore the email — Your password won't change unless you click the link
- Check your 2FA settings — Make sure it's enabled (see steps above)
- Consider changing your password anyway — Through the app directly, not via the email link
- Report the email — Use Instagram's "let us know" link if you want to alert them
The email itself is harmless if you don't act on it. The danger is in reacting impulsively.
What to do if your Instagram was actually hacked
If you've already clicked a suspicious link or your account shows signs of compromise (posts you didn't make, DMs you didn't send, login notifications from unknown locations), take these steps immediately:
- Use Instagram's recovery tool — Go to instagram.com/hacked to regain access
- Change your password — Use the app directly, not any email link
- Enable 2FA — Use an authenticator app, not SMS
- Check linked accounts — Remove any apps you don't recognize in Settings → Apps and websites
- Change passwords on other accounts — If you reused your Instagram password elsewhere, change those passwords too before attackers try credential stuffing
The 72-hour window after a breach is critical. Attackers move fast, so you need to move faster.
The bigger picture
This breach is a reminder that your email address is often the skeleton key to your digital life. Once it's leaked, attackers can use it to probe every service you've ever signed up for — triggering password resets, testing for account existence, or launching targeted phishing campaigns.
Two-factor authentication won't prevent your email from being leaked. But it will prevent that leak from turning into an account takeover.
The 17.5 million users in this breach can't undo the exposure. But they can make it worthless by ensuring 2FA is enabled before attackers come knocking.
Check your settings. Today.
Key takeaways
- 17.5 million Instagram accounts were leaked on BreachForums
- Attackers are triggering real password reset emails — not phishing
- The emails are legitimate, but the requests aren't
- 2FA is your protection — enable it now if you haven't
- If you get an unexpected reset email, don't click — just verify your 2FA is on
About Dosel: We built a macOS app that automates password changes using local AI. The agent navigates each site and changes passwords for you, while keeping everything on your machine.
Download Dosel → — 5 free automated password changes per month, no credit card required.
Sources
- Forbes: Instagram Password Reset Attacks — Users Must Check 1 Thing Now
- Instagram Help Center: Two-Factor Authentication
- Instagram: Hacked Accounts Recovery
Questions about protecting your accounts? Reach out at hello@dosel.app.