In recent days, many Instagram users in Spain and the rest of Europe have started to notice something strange in their inbox: emails to reset the password that they never requestedFor some it was a simple scare; for others, proof that something serious was happening with the security of the social network.
Meanwhile, a major cybersecurity firm has announced that Information from 17,5 million Instagram accounts has reportedly been leakedwhose personal data is reportedly circulating on dark web forums. Meanwhile, Instagram denies being hacked and refers only to a "software issue" with the reset emails. Amid conflicting reports, it's important to clarify what is known, what the real risks are, and how you should react.
What has been leaked and who discovered it
The first alarms were raised when users from all over the world began sharing on social media that They were receiving mass emails asking them to change their Instagram password. without having requested anything. Some claimed that these emails arrived several times a day, which went far beyond a simple lapse in login.
In that context, the cybersecurity company Malwarebytes published a report detailing a massive data breach which would affect approximately 17,5 million accounts on the platform. According to their investigation, a group of cybercriminals stole a very large dataset containing personal information from Instagram users.
According to Malwarebytes and other security analysts, the leaked database includes usernames, email addresses, phone numbers, and physical addressesThis would not only be basic profile data, but a "doxing kit" with the potential to identify specific individuals, something especially sensitive in the case of public figures, influencers, or European corporate accounts.
Experts who have followed the case indicate that the data package would have been published in BreachForums and other underground marketswhere it is sold in batches segmented by country and number of followers. This means that, in theory, there would also be user registrations from Spain and other EU countries specifically organized for this purpose.
Malwarebytes' version vs. Instagram's version
Malwarebytes' research maintains that Filtration is not a simple surface scraping not from public profiles, but the result of unauthorized access to a large volume of data, likely originating in 2024 and related to the use or abuse of Instagram APIs. Some forums even mention specific individuals who allegedly shared the original batch of data, offering it in JSON and TXT formats.
In this narrative, the cybercriminals would have used the leaked information to launch highly refined phishing campaignsby sending emails that mimic legitimate Instagram password recovery messages. By knowing the victim's email address, username, and even approximate location, attackers can craft messages that sound credible and are difficult to distinguish from official ones.
Instagram, for its part, has denied that its systems were hacked. The company, owned by Meta, admits that There was a flaw that allowed a third party to request password reset emails. for some accounts, but insists that the servers have not been accessed and passwords have not been leaked.
In its statement, the social network explains that it was a "software problem" that has already been resolved, apologizes for the inconvenience, and emphasizes that “No breach occurred” and the accounts “are secure”According to this version, the emails that triggered the alarm were a consequence of that bug and not an intrusion into the platform.
The discrepancy between the two versions is key: while Malwarebytes reports 17,5 million profiles with personal data exposed and sold on the dark webInstagram is attempting to attribute the incident to an error in the recovery email process. So far, Meta has not published a detailed technical report to fully clarify the situation, and a sense of uncertainty persists among some European users.
What data would be at stake and why is it so sensitive
Beyond the debate about the exact origin of the incident, what worries specialists is the nature of the leaked informationAccording to the analyses that have been made public, the dataset would include, in many cases, the following elements:
- Instagram username, as it appears on the platform.
- Email address associated with the account, used for registration and retrieval.
- Phone number linked to profile, often necessary for verification.
- Address or physical locationat least partially.
Furthermore, the fact that the passwords are not included in the data package does not mean that the accounts are completely safeWith the available information, attackers can exploit the password reset mechanism, try combinations reused on other services, or send extremely convincing emails to trick the user into handing over their credentials.
In the forums where this data has been found, some sellers boast of offering lists sorted by country, language, or number of followers, which would allow target specific attacks on high-impact accountsEuropean influencers, small local businesses that rely on Instagram for sales, and media outlets with a wide reach thus become priority targets.
The surge of recovery emails and the role of phishing
One of the most visible consequences of this whole incident has been the avalanche of password reset emails Many users have received these notifications without having requested them. These notifications, which usually come from Instagram's official address, have caused considerable confusion.
First, the very flaw acknowledged by the platform would have allowed that a third party would automatically trigger these requestsThis caused millions of people to see a legitimate email saying someone wanted to change their password. That, in itself, is unsettling, even if the user ignores the message.
The problem is that this noise has been used to mix in fake emails among those real adswith links to pages that mimic the Instagram login. That's where good old phishing comes in: if the user clicks and enters their password, they hand it directly over to the attacker.
Cybercriminals, knowing the email associated with the account, the username, and even the country or city, can write very credible messages: “We have detected suspicious access to your account from Spain” or “Your profile has been reported for violating our rules, verify your identity here.” This type of text, accompanied by logos and designs copied from the official ones, makes it very difficult to distinguish the real from the fake.
In Spain and other European countries, cybersecurity entities have been warning for some time that Social media has become one of the main hooks for online fraud.An incident of this magnitude, with millions of emails and phone numbers exposed, is a perfect breeding ground for a new wave of attacks.
How to check if your email or account is affected
Given the volume of information being handled, it's natural to wonder if your own email address appears on any of these lists. To find out, there are several options that allow you to... Check if your address has appeared in known leaks.
On the one hand, established services such as haveibeenpwned.com They've been compiling leaked databases for years and allow you to check, by entering your email address, whether it has been compromised in any incident. If you use it, you can see which previous breaches your address has appeared in and whether any of them are related to Instagram.
In addition, Malwarebytes has enabled their own testing toolThis service is specifically focused on this particular leak and other recent incidents. The process is usually simple: you enter the email linked to your Instagram account, receive a verification code at that address, and enter it on the website to validate that you are the account holder.
Once the verification step is complete, the tool will tell you if Your personal information is in one of the analyzed databasesIf so, it usually details in which incidents it has appeared and what type of data has been exposed: email, telephone, addresses or partial profile information.
It's worth remembering that the fact that your email appeared in a data breach doesn't automatically mean that someone is currently inside your account, but it does imply that Your data travels through channels you don't control and that you must reinforce your security measures immediately.
What to do if you receive emails to change your password
If you are receiving these "Reset your password" emails or notifications in Spanish indicating that a password has been requested reset your account passwordThe first thing is to stay calm and apply a few basic rules.
The general recommendation from experts is unequivocal: Never click on the links included in these emailsEven if the message appears perfectly legitimate and comes from a recognizable address, the email may be real or fake, but the risk of it leading you to a malicious site is too high.
If you want to change your password as a precaution, do so. always from the official Instagram app or from the Instagram website by typing the address into your browser.Never access your account through a link you receive by email or SMS, no matter how convincing the text may seem.
If you have any doubts about whether the email is official, you can check the section within the Instagram app. “Instagram emails”In the security section, you'll see a history of the messages the platform claims to have actually sent to your address, allowing you to rule out fraudulent communications.
If you still suspect someone has tried to access your profile, it's also a good idea to check the devices that are logged in and close any access points you don't recognizeThis can be done directly from the account security menu.
How to change your password from the app or website
Updating your password is one of the first things you should do if your email address appears in a data breach or if you've received suspicious emails. The key is in... Make this change only from the official Instagram settings, without going through external links.
On mobile, the process is quite straightforward. Open the app, go to your profile, and tap the three-line icon in the corner (depending on the version, it may be at the top or bottom). From there, access the Account center, the section where profiles for Meta services, such as Facebook or Instagram, are managed.
Once inside the Accounts Center, make sure your Instagram account is selected and go to the section Password and security. There you will see the option Change Passwordwhich is the right place to modify it safely.
In the web version, from your computer, the process is very similar. You have to click on the settings menu, locate the Account center and, within it, go to the section of Password and securityFrom there, choose Change Password and follow the instructions that the platform asks you to.
It is important that the new key be long, robust and uniqueUse a combination of uppercase and lowercase letters, numbers, and symbols, and avoid reusing passwords you already use for other services. If you struggle to manage them, a reliable password manager can help you avoid having to remember them all.
Two-step authentication and other security measures
Changing your password is a fundamental step, but not the only one. Two-step authentication (2FA) has become almost mandatory for those who want to keep their social media somewhat safer in a context of constant leaks.
On Instagram, you can activate two-step verification from the same menu. Password and securityThe recommendation of many specialists is Avoid SMS verification if possible.Since text messages can be intercepted or spoofed, opt for authentication apps like Google Authenticator, Authy, Bitwarden, or similar options.
With 2FA enabled, even if someone obtains your password through carelessness or deception, they will still need an additional temporary code To access your account. This code is generated on your mobile phone and changes every few seconds, making life much more difficult for attackers.
Another very useful measure is Review the list of devices logged into your accountIn the security section, you'll find a list of all the mobile phones, computers, and tablets that currently have access. If you see one you don't recognize or no longer use, you can log it out remotely.
Finally, it's worth taking a look at the third-party apps that you have linked to your Instagram accountTools for scheduling posts, filter apps, or analytics services can become weak links if they aren't properly maintained. Revoke access to those you don't need or don't trust.
In the current scenario, with leaks affecting millions of profiles and increasingly sophisticated phishing campaigns, the security of your Instagram account depends as much on what the platform does as on... the decisions you make on a daily basisBeing wary of suspicious links, using strong passwords, activating two-step verification, and occasionally checking where your data has ended up are small routines that can save you a lot of trouble later on.
