Alas, not even Instagram is safe from hackers, fraudsters, and ne’er-do-wells. According to cybersecurity research firm, Malwarebytes, about 17.5 million Instagram accounts were attacked and their personal data tracked to listings on the dark web.

 

Early reports indicate that the data was collected through an API Leak (this is an unauthorized exposure of keys, tokens, or sensitive data that happens unintentionally through misconfigured servers or substandard storage practices). Standard security measures were insufficient and allowed the hackers to collect information from user profiles using automated harvesting called “scraping.” Unfortunately, usernames and unflattering photos were the least invasive data stolen; Instagram confirms that names, emails, phone numbers, and location data were also stolen.

 

Affected users have described receiving a “surge” of unsolicited password reset notifications, a scammer tool for establishing trust and getting victims to turn over additional login credentials or pieces of their multi-factor authentication. This essentially gives hackers unfettered access to their accounts, images, and data.

 

Meta, which owns Instagram, has not spoken publicly on this hack nor reached out to affected users. Even if you haven’t experienced anything strange, now would be a good time to log out of any device you use to access Instagram, change your password, and log back in. And, just to be safe, any information (or terrible selfies!) not critical to your account, you should consider removing.