- Meta says Instagram password reset emails were triggered by error, not a breach of systems
- Malwarebytes reported 17.5 million account details leaked, possibly from past API incidents (2022 or 2024)
- Hackers sharing authentic data heightens phishing risks; users advised to verify info directly on Meta sites
Some Instagram users have received password reset emails without requesting them – but the company says it hasn’t experienced a data breach.
Parent company Meta has issued a statement saying this was not a data breach, and that the accounts were not at risk, at all. Instead, it claims this was an error that allowed third parties to trigger password reset emails, and that is all.
“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson said. “We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused.”
When was it stolen?
This follows recent reports from Malwarebytes claiming unidentified thread actors had stolen data from 17.5 million Instagram accounts.
The stolen data allegedly included user IDs, usernames, email accounts, phone numbers, names, and postal addresses. According to the researchers, the data ended up on “numerous hacking forums”, where it was said that it was pulled from a 2024 Instagram API leak.
Not everyone agrees with this assessment, though. Some researchers believe the data was, in fact, grabbed during the 2022 API scraping incident. Meta, on the other hand, says it knows nothing of any API incidents in either 2022 or 2024.
Regardless of if the data was stolen in 2022, 2024, or 2026, the fact that hackers are sharing authentic user data on the dark web should be cause for concern enough. With this much information, cybercriminals can launch convincing phishing emails, tricking users into sharing their Instagram login credentials, or even those for Facebook and WhatsApp.
To protect against potential attacks, it would be best to simply ignore all emails claiming to be coming from Meta or its companies, and double-check all information on respective websites, directly.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
