Credential Stuffing Account Fraud on Instagram
Automated bots attack Instagram accounts using leaked email and password combinations from other data breaches, gaining access to accounts whose owners have recycled the same password across multiple services.
Part of: Credential Stuffing Account Fraud
Last reviewed: 1 June 2026
Instagram accounts are high-value credential stuffing targets because they often hold commercial value — an established audience, brand deals, or shopping integrations. A successfully stuffed account can be used for fraud, sold to other operators, or ransomed back to the original owner.
Because Instagram requires only an email or phone number plus a password to log in, any pair of credentials leaked in a breach of another service becomes a potential Instagram key if the same combination was used there.
How this scam works on Instagram
Automated tools run through databases of leaked credentials — combinations of email addresses and passwords from past data breaches at unrelated services — testing each pair against Instagram's authentication system. When a match is found, the tool logs the successful access and either notifies a human operator or proceeds automatically.
The attacker changes the linked email address and phone number, locking the original owner out. They may then use the account to run fake giveaway DMs to followers, post fraudulent investment promotions, or sell the account outright. Business accounts with active product catalogues or advertising credit are especially attractive targets.
In some cases the attacker does not immediately lock the owner out, instead using the account covertly over weeks to gather intelligence about the owner's contacts, brands, and revenue — data that enables more precisely targeted follow-on fraud.
Common red flags
- Instagram login notification for an unfamiliar device, location, or IP address
- Password reset email you did not initiate
- Followers reporting unusual DMs or posts from your account
- Changes to your linked email, phone number, or username that you did not make
- Shopping products, story highlights, or follows added to your account without your action
How to protect yourself
- Use a password for Instagram that is not used on any other platform — ideally generated by a password manager
- Enable two-factor authentication using an authenticator app
- Check breach notification services to see if your email and password combination has been exposed in any past breach, and change affected passwords
- Review Instagram's 'Where you're logged in' list in security settings and log out all unrecognised sessions
- Enable Instagram's login request notifications so you are alerted to new device logins immediately
- Revoke access to all third-party apps in Instagram's security settings that you do not actively use
How to report it
- Use Instagram's official hacked account form at instagram.com/hacked to report the compromise and begin recovery
- Report the fraudulent activity to Instagram through the in-app security settings if you retain some access
- File a complaint with your national cybercrime unit if financial loss or significant harm resulted
Frequently asked questions
I have two-factor authentication enabled — can credential stuffing still succeed?
Two-factor authentication significantly raises the barrier. A credential-stuffing bot that hits a 2FA checkpoint will typically move on rather than attempt to bypass it. However, attacks that include phishing for the 2FA code itself, or that use session-token theft rather than login, can still succeed. Two-factor authentication is essential but not a complete guarantee.