Instagram Denies Data Breach Claims
▼ Summary
– A cybersecurity firm reported a potential data breach affecting 17.5 million Instagram accounts, leading to a surge in password reset requests.
– Meta, Instagram’s parent company, denied a system breach and stated it fixed an issue allowing external parties to request password resets.
– A threat actor is offering a large dataset of scraped public Instagram user information from 2024, allegedly obtained via an insecure API.
– The leaked dataset contains public information like usernames and account IDs, with some email addresses and phone numbers, but no passwords.
– Users are advised to ignore unsolicited password reset requests, enable two-factor authentication, and watch for phishing attempts.
Reports of a significant Instagram data incident circulated widely this weekend, sparking concern among millions of users. Security researchers at Malwarebytes initially flagged that cybercriminals may have obtained sensitive details from approximately 17.5 million Instagram accounts. This news followed a noticeable spike in user complaints about receiving unsolicited password reset emails, leading many to suspect a major platform breach.
However, Meta, Instagram’s parent company, has firmly denied any breach of its internal systems. A company spokesperson addressed the situation, stating they resolved a technical flaw that allowed an outside party to trigger password reset emails for certain users. “You can ignore those emails , sorry for any confusion,” the statement read, attributing the flood of reset requests to this external exploit rather than a direct infiltration.
The security alert appears connected to separate reports of a threat actor advertising a vast collection of Instagram user data on a dark web forum. This actor claims the information was gathered in 2024 by exploiting a poorly secured Instagram API, though this assertion has not been independently verified.
Data from the Have I Been Pwned (HIBP) service provides more clarity on what was potentially exposed. Their analysis indicates the dataset encompasses around 17 million entries of largely public profile information. This includes usernames, account display names, phone numbers, unique account IDs, and geolocation data. Crucially, HIBP notes that 6.2 million of these records included an associated email address. The service emphasized that the leaked information does not contain user passwords or other private, non-public data.
HIBP also clarified that this data scraping event seems distinct from the wave of password reset requests, even though they happened around the same time. The reset emails were likely a side effect of the external party abusing a platform feature, not a direct result of the data cache being accessed or sold.
For user safety, security experts universally recommend a few key steps. First, ignore any password reset emails you did not initiate yourself. Second, proactively strengthen account security by enabling two-factor authentication (2FA), which adds a critical extra layer of protection. Finally, remain vigilant for sophisticated phishing attempts that may use the exposed data to craft convincing emails pretending to be from Instagram support.
(Source: HelpNet Security)
