Instagram Password Reset Emails – 17.5 Million Instagram Accounts Exposed

If you have received a surprise password reset email from Instagram recently, you are not alone. A major data leak has exposed the personal information of around 17.5 million Instagram users back in 2024, and that data is now circulating on dark web forums.

This is not just usernames. The exposed data includes email addresses, phone numbers, and in some cases physical location information (how to turn off location on Instagram). That is more than enough for scammers to launch targeted phishing attacks, fake support messages, and account takeover attempts.

What Actually Happened

Cybersecurity researchers confirmed that the data was harvested in late 2024 through an API leak, which allowed attackers to scrape millions of public profiles without being blocked. The dataset was then listed for sale by threat actors on hacking forums and quickly verified as real.

Shortly after, users around the world began receiving waves of Instagram password reset emails. These were not random. Hackers were using the leaked email addresses to trigger reset requests and see which accounts were active and vulnerable.

Shortly after this story gained traction due to a viral TikTok, Instagram posted an announcement on X, claiming they “fixed” it.

24 hours after this was announced, we tested the “fix” – and found no change. Our team was still able to trigger password reset emails and texts for an account, based only on its username.

Instagram also said “There was no breach of our systems” – recently true, but the password reset emails are being sent off the back of a 2024 leak that hit over 17M accounts.

Why This Is Dangerous

Even though passwords were not directly leaked, the combination of email and phone number is extremely powerful.

Attackers can:

• Pretend to be Instagram support
• Send highly convincing phishing messages
• Attempt SIM swapping to bypass two factor authentication
• Trick users into handing over login codes

Security experts have warned that this breach is already being actively exploited.

What You Should Do Right Now

You do not need to panic, but you do need to act.

1. Change your Instagram password manually
Open the app or website yourself. Do not click links in emails.

2. Enable two factor authentication using an app
Use an authenticator app rather than SMS. SMS can be intercepted.

3. Check your login activity
Look for devices or locations you do not recognize.

4. Ignore unexpected password reset emails
If you did not request it, do not click it. Log in directly instead.

5. Update your recovery email and phone number
Make sure they are secure and up to date.

How Redact Can Help You Clean Up Your Instagram

This event is a reminder that breaches and leaks may have no immediate consequence – it could take years, decades, or longer before a bad actors leverage exposed data in a way that actually impacts you. Additionally, social media platforms are typically not “private” or “secure” in any sense. Your private messages, posts, comments, likes, and any other activity could quickly become liabilities in the future.

Redact helps you delete Instagram posts, reels and messages in bulk so you can take control of your profile and reduce what is publicly visible. Whether you are cleaning up for privacy, professionalism, or just peace of mind, Redact lets you reset your digital footprint without hours of manual work.

This is not about this specific leak. It is about being in control of what exists under your name online.

Final Thought

Data leaks are becoming routine. Their impact may not be realized for years after they occur. Account attacks are becoming smarter, and more convincing. The best defense is a proactive one; reducing the size of your digital footprint makes you a harder target – in addition to using multi-factor authentication (app based), a password manager, and checking on breach alert services like HaveIBeenPwned.

Secure your account. Clean up your history. Stay in control.