Instagram has denied claims of a major data breach after millions of users received unexpected password reset emails over the weekend. The platform insists no system breach occurred, contradicting security firm Malwarebytes' warning that sensitive data from 17.5 million accounts was leaked online.
The controversy erupted after users worldwide reported a flood of password reset requests. Cybersecurity firm Malwarebytes warned: «Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.» The firm added that «this data is available for sale on the dark web and can be abused by cybercriminals.»
Instagram responded on X on Sunday morning with a different explanation. The platform stated: «We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails - sorry for any confusion.»
User Skepticism and Concerns
Instagram's explanation has met strong resistance from users. One X user questioned: «No breach but an external party can trigger a password reset? Sounds like a breach.» Another criticized the platform's response: «If an external party can trigger a password reset on my account, that IS a breach. I had to spend time investigating the issue for myself, changing my password, setting up 2FA, trying to log out on all devices which u don't make easy. What a waste of time. Get your act together!»
A third user alleged a cover-up: «That's wrong, and you're trying to cover things up. I received emails and I'm very concerned that it was a data breach. Many sources say the same thing and confirm this.» At least one user reported deleting their account entirely in response to the incident.
The Reported Data Leak
According to reports, the data was originally stolen during an Instagram API leak in 2024, when hackers bypassed standard security protections. A threat actor using the moniker "Solonnik" subsequently published over 17 million records on BreachForums, a known cybercrime platform, making the dataset freely available last Wednesday.
Forbes contributor and cybersecurity expert Davey Winder confirmed receiving a legitimate-looking password reset email on Friday. The email read: «If you ignore this message, your password will not be changed. If you didn't request a password reset, let us know.»
Cybersecurity experts have warned users to exercise extreme caution. They advise against clicking "Reset password" buttons in suspicious emails, noting that attackers would still need additional information to compromise accounts fully. Instagram confirmed that legitimate password reset emails only come from domains ending in @mail.instagram.com.
Security Recommendations
Instagram strongly recommends users enable two-factor authentication. The platform stated: «We strongly recommend enabling two-factor authentication.» Options include using a phone number or authenticator apps like Duo Mobile or Google Authentication. Instagram also announced: «If you're using WhatsApp, in the coming weeks you will be able to protect your account using your WhatsApp number in certain countries.»
The platform further advised: «Make sure that the email and phone numbers associated with your device are up to date. That way if something happens to your account, we can reach you. These steps let you recover your account even if your info has been changed by a hacker.»
Users can check if their email addresses have been compromised by visiting HaveIBeenPwned.com or malwarebytes.com. Meta, Instagram's parent company, has not provided additional comment beyond the platform's X statement.
Note: This article was created with Artificial Intelligence (AI).
