- Meta says the Instagram password reset emails were triggered by error, not a system breach
- Malwarebytes reported 17.5 million account credentials leaked, possibly from previous API incidents (2022 or 2024)
- Hackers sharing authentic data increase phishing risks; users are advised to verify information directly on meta pages
Some Instagram users have received password reset emails without requesting them — but the company says it hasn’t experienced a data breach.
Parent company Meta has issued a statement saying that this was not a data breach and that the accounts were not at risk at all. Instead, it claims this was a bug that allowed third parties to trigger password reset emails, and that’s all.
“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson said. “We want to reassure everyone that there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused.”
When was it stolen?
This follows recent reports from Malwarebytes claiming that unidentified cyber actors had stolen data from 17.5 million Instagram accounts.
The stolen data reportedly included user IDs, usernames, email accounts, phone numbers, names and postal addresses. According to the researchers, the data ended up on “several hacking forums,” where it was said to have been pulled from an Instagram API leak in 2024.
However, not everyone agrees with this assessment. Some researchers believe the data was actually grabbed during the 2022 API scraping incident. Meta, on the other hand, says it knows of no API incidents in either 2022 or 2024.
Whether the data was stolen in 2022, 2024, or 2026, the fact that hackers are sharing authentic user data on the dark web should be cause for concern enough. With so much information, cybercriminals can launch convincing phishing emails, tricking users into sharing their Instagram login credentials or even those to Facebook and WhatsApp.
To protect against potential attacks, it would be best to simply ignore all emails claiming to be from Meta or its companies and double-check all information on the respective websites directly.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
