Meta denies Instagram systems were breached despite claims of 17 million accounts being leaked, attributing recent issues to a password reset bug. Researchers suggest the data may be compiled from past incidents.
Claims of a massive Instagram data leak involving 17 million accounts have surfaced on hacking forums, but parent company Meta firmly denies any breach occurred. Instead, the company attributes recent anomalies to a now-fixed bug in its password reset system.
According to Meta's statement to BleepingComputer, "We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure." The company emphasized that users could disregard unexpected password reset emails.
The controversy began when cybersecurity firm Malwarebytes warned customers about stolen data from 17.5 million Instagram accounts. Soon after, datasets appeared freely available on hacking forums claiming to contain information scraped via an Instagram API vulnerability. 
The leaked dataset reportedly contains 17,017,213 records with varying combinations of:
- Instagram IDs (17,015,503 unique)
- Usernames (16,553,662 unique)
- Email addresses (6,233,162 unique)
- Phone numbers (3,494,383 unique)
- Names (12,418,006 unique)
- Physical addresses (1,335,727 unique)
Cybersecurity researchers examining the data speculate it might originate from past scraping incidents, including a known 2017 Instagram API bug that exposed 6 million accounts. However, Meta states it has "no awareness of any API incidents in 2022 or 2024," and researchers haven't provided conclusive evidence linking the data to recent vulnerabilities.
Security Implications and User Guidance
While passwords weren't included in the leak, security experts warn the exposed information significantly increases risks:
- Phishing and Smishing Attacks: Expect targeted messages using your name, username, or other personal details to appear more credible
- Social Engineering: Attackers may use address or phone details to build trust in impersonation schemes
- Credential Stuffing: Email addresses and usernames could be tested across other platforms
Meta recommends these protective measures:
- Ignore unexpected password reset emails or SMS codes unless you initiated the request
- Activate two-factor authentication in Instagram's security settings
- Monitor accounts for suspicious activity
- Use unique passwords across all online services
The incident highlights how historical data breaches can resurface years later, underscoring the importance of ongoing vigilance even after companies patch vulnerabilities. While Instagram's systems show no evidence of new compromise, the recycled nature of such data leaks continues to pose persistent threats to user security.
Comments
Please log in or register to join the discussion