instagram was hacked and all info is already on the web.. Change your password and elsewhere if you used it in more than one place
3 Likes
I can't find anything reliable about a recent Instragram hack. Where did you see this?
It's all over the place. But here's an article on Forbes.com, which seems like a pretty reliable source.
Oh... this is phishing attempt. That's very different from how I interpreted the OP. In my mind, I thought he was saying Instagrams WAS hacked and the password list was "already on the web"
2 Likes
I read the article @aaiyar linked to and found no mention of Instagram being hacked and information being published on the web.
I did receive at least one password reset messages in the past couple of days but deleted them.
[Edit: I do see "Instagram hacked" in articles "all over the place" but none so far that details anything other than some people were tricked into revealing their password.]
[Edit Part 2: OK, I am finding mention of an actual data breach of 17.5M accounts, but it takes some digging to find amid all the discussion of the password reset messages. Still looking for an article with more details about the data breech since that's what matters. The password reset emails are just collateral damage and not a problem in and of themselves.]
[Edit Part 3: I'm still not convinced that there was any data breach involving access to databases at Instagram. Access to Instagram credentials appears to be limited to client-side phishing and malware that has been ongoing. Would love to see a clearly written article that suggests otherwise.]
1 Like
Yep - 2FA is your friend, and you can generally just ignore this nonsense (unless you use the same password for multiple accounts)..
1 Like
Generally speaking yes. Unfortunately, there are folks at work who have fallen prey to social engineering and revealed OTPs. There is no technological solution for human fallibility.
2 Likes
Or stupidity...
2 Likes
2 Likes
Yeah but remember SMS delivered 2FA codes are the least secure way. Using an authenticator app is way more secure.
1 Like
Ahh, thanks for posting this!
To be fair, if their 2Fa is OTP's sent over text message and not hardware such as a Yubikey or an authenticator app it is only marginally better as all mobile networks have been compromised and even NIST recommend business stop using text messaging
for OTP's. Its basically a show to make people thing it secur, kinda like the TSA at the airport.
That having been said, getting the average consumer to understand and actually do that is a pretty tall order.
Wherever possible I utilize Biometrics, YubiKey, 2FA using an authenticator app and finally consider anything that uses OTP via text as compromised. None of these are sure things, either. They will only slow down an attacker, and maybe they will get frustrated and move along. It is not a matter of IF your accounts will be compromised, but a matter of when, no matter how many steps you take so secure them.
Does it mean anything that I can easily find articles written by such luminaries in the cybersecurity community as The Irish Sun, Forbes, or Men’s Journal, but can’t seem to find anything mentioned on websites that I expect are run by people who actually have a clue what they’re talking about?
1 Like
I don't want to be harsh since I suspect there is a kernel of truth to this, but I agree. No wire service or trusted security source has said anything about this. Malwarebytes made a post on X that had nothing to do with a data breach but simply saying cybercriminals have stolen Instagram credentials, but I think that actually happened in 2024 or refers to ongoing client-side revelations.
Forbes is certainly not a trusted source. On the same page, they confirm iPhone attacks which turns out to be some people are still running old software. Not any urgent event.
3 Likes
That’s all I could find as well. All these recent articles reference malwarebytes as the source of this info. Maybe they only share details with their customers/subscribers, since there’s no meaningful info in their social media post.
I’m looking forward to hearing more about this from a reliable source, if there’s more to it.
1 Like
FWIW, Meta’s response on the record (for now) is that there was no breach that leaked any personal info.
Just access to a system that allowed the hacker to send password reset emails.
1 Like
Well, there we have it straightened out by no less than the Hindustan Times.
2 Likes
lol. At least they quote a Meta spokesperson?
Regardless of the source, I went ahead and changed mine. Doesn't hurt to chage it if not necessary and could be useful if it was actually breached. I use 2FA through an app and my e-mail address is a hybrid gmail account that the malwarebytes tool won't even let me use
(username) + (adder) @ gmail
I do this with all of my logins that will let me use that format. This helps me to sort mail on my end when receiving, and easily change my login e-mail if I find out it has been used somewhere.
As to this specific breach, I created the instagram account to specifically NOT use but prevent anyone from linking a fake account to my FB (I got banned in the past when someone somehow bypassed FB's 2FA and linked an IG account to my FB). Took me a bit to get it back and then decided to link an account so that no one else could.
1 Like
The leak was first uncovered by cybersecurity researchers at Malwarebytes and later verified through listing circulating on dark web forums, where sensitive user data is being actively traded.
According to researchers, the compromised data reset appeared earlier this week on a notorious hacking forum, posted by a threat actor using the alias “Solonik.”
The listing, titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK,” claims to contain 17.5 million Instagram user records available in both JSON and TXT formats.
The hacker alleges the data was harvested in late 2024 through an “API Leak,” allowing them to bypass standard security protections and scrape user profiles from across the globe.
seems real to me..
