ISLAMABAD – It started as routine morning scroll through Instagram for millions of users, but what should have been just another day quickly turned into shocking development. Out of nowhere, inboxes flooded with password reset emails, each one perfectly mimicking Instagram’s official security messages.
For many, panic set in instantly as users felt their accounts had been compromised. Little did they know, this was not a simple mistake. behind these emails lurked a massive data leak exposing millions of accounts, spilling sensitive information onto dark web forums and putting users’ personal details at risk of being weaponized by cybercriminals.
Millions of social media users worldwide are in shock after receiving unexpected password reset emails that looked like they came from Instagram itself, sparking fears of one of the largest social media breaches in recent history.
Instagram Password Change Scam
@ohhackno
UPDATE: Multiple news outlets have now confirmed this is a massive official data leak (not just a scam email), which makes securing your account with 2FA even more important! Instagram has not yet made a statement on why these PW reset requests do not consistently show up under “recent emails” or on the breach in general 👎🏼
♬ original sound – Flo & Kenny | ohhackno
Cybersecurity experts traced the emails to massive data leak affecting approximately 17.5 million Instagram accounts. The sensitive information, stolen through an API vulnerability in late 2024, resurfaced on dark web forums, putting millions of users at risk of phishing attacks, identity theft, and account hijacking.
The exposed data reportedly includes usernames, email addresses, phone numbers, and partial physical addresses, enough for hackers to impersonate users or attempt credential-stealing attacks.
What’s alarming is how convincing these emails are. They mimic Instagram’s official communication style and appear to come from verified domains like @mail.instagram.com. Yet the sheer volume and timing suggest this is not a mistake, but a direct result of the resurfaced breach. Many recipients verified the email headers yet confirmed they never requested a password reset.
Each email instructs users to either reset their password or report unauthorized activity, warning: “If you ignore this message, your password will not be changed.”
Malwarebytes warns that these emails are likely linked to the 2024 cyber breach, which exposed millions of profiles. The stolen information could easily be exploited for phishing campaigns and other malicious attacks.
Instagram, meanwhile, maintains that receiving a password reset email does not automatically mean your account has been hacked. Mistakes such as someone entering the wrong email or username can trigger these messages. The company reassures that only someone with your password or access to the email link can log in.
Rajab Butt’s YouTube, Instagram Accounts deactivated amid family dispute
