News of a possible Instagram data breach spread over the weekend after Malwarebytes reported that cybercriminals had stolen sensitive information from 17.5 million Instagram accounts, potentially leading to a surge in password reset requests.
Users have been complaining last week about receiving repeated password change requests, but Instagram parent company Meta has denied that a breach of their systems occurred.
“We fixed an issue that let an external party request password reset emails for some people,” the company stated on Sunday. “You can ignore those emails — sorry for any confusion.”
Malwarebytes’ warning was likely related to a recent report about a threat actor offering a massive trove of Instagram user data for download via a dark web forum.
The threat actor says that the leaked data is from 2024, when it was harvested via an inadequetely secured Instagram API. (That claim remains unconfirmed.)
According to the Have I Been Pwned (HIBP) service, the dataset contains 17 million rows of public Instagram information: usernames, display names, phone numbers, account IDs, and geolocation data.
“Of these records, 6.2M included an associated email address, and some also contained a phone number,” HIBP says. No dataset does not include passwords or other non-public data.
“The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe,” the service noted.
Users should ignore password reset requests they haven’t initiated, additionally secure their accounts by setting up two-factor authentication (2FA), and be on the lookout for phishing emails impersonating Instagram.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!