Instagram: Instagram Denies Reports of Hacking and Data Breach, Says ‘Accounts Are Secure’

Instagram Denies Data Breach After Password Reset Scare

Last week, Instagram users reported receiving unexpected password reset emails, sparking concerns of a potential cyberattack. Cybersecurity firm Malwarebytes initially claimed that a hacker group had compromised up to 17.5 million accounts, allegedly stealing sensitive data including usernames, email addresses, phone numbers, and physical addresses and offering it for sale on the dark web.

However, Instagram swiftly refuted the reports. In an official statement on X (formerly Twitter), the platform acknowledged an issue that allowed an external party to trigger password reset emails but insisted no breach occurred. "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems, and your Instagram accounts are secure," the company stated, urging users to disregard the emails.

While Malwarebytes’ claims lacked concrete evidence, Instagram also provided no detailed logs or activity data to confirm its denial. The incident remains unclear, though multiple users including tech journalists confirmed receiving the reset emails. Those who clicked the link may have exposed themselves to potential risks, though Instagram maintains no data was compromised.

The conflicting accounts leave questions unanswered, but the platform has not disclosed further details about the vulnerability that enabled the unauthorized reset requests.

Source: https://www.gadgets360.com/apps/news/instagram-denies-data-breach-hacking-17-million-accounts-says-no-such-risk-10721833

Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram

"id": "INS1768209938",
"linkid": "instagram",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': '17.5 million (claimed by '
                                              'cybersecurity firm)',
                        'industry': 'Technology/Social Media',
                        'location': 'Global',
                        'name': 'Instagram',
                        'size': 'Large (Meta-owned)',
                        'type': 'Social Media Platform'}],
 'attack_vector': 'External party exploited a system issue to send password '
                  'reset emails',
 'customer_advisories': 'Users advised to ignore unexpected password reset '
                        'emails and change passwords if they clicked on links.',
 'data_breach': {'data_exfiltration': 'Claimed but unconfirmed',
                 'number_of_records_exposed': '17.5 million (claimed)',
                 'personally_identifiable_information': 'Yes (usernames, '
                                                        'physical addresses, '
                                                        'phone numbers, email '
                                                        'addresses)',
                 'sensitivity_of_data': 'High (usernames, physical addresses, '
                                        'phone numbers, email addresses)',
                 'type_of_data_compromised': 'Personally Identifiable '
                                             'Information (PII)'},
 'description': 'Instagram users received unexpected password reset emails, '
                'leading to concerns of a potential data breach. A '
                'cybersecurity firm claimed that 17.5 million accounts were '
                'compromised and data was being sold on the dark web. '
                'Instagram denied the breach, stating no systems were '
                'compromised and accounts remain secure.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'user concerns',
            'data_compromised': 'Potential exposure of usernames, physical '
                                'addresses, phone numbers, email addresses',
            'identity_theft_risk': 'High (if users clicked on malicious links)',
            'systems_affected': 'Instagram password reset system'},
 'initial_access_broker': {'data_sold_on_dark_web': 'Claimed but unconfirmed'},
 'investigation_status': 'Ongoing (lack of clarity on events)',
 'post_incident_analysis': {'corrective_actions': 'Issue fixed to prevent '
                                                  'unauthorized reset requests',
                            'root_causes': 'System flaw allowing unauthorized '
                                           'password reset requests'},
 'recommendations': 'Users who received reset emails should change their '
                    'passwords via the official app to prevent potential '
                    'compromise.',
 'references': [{'source': 'Instagram Official Statement (X/Twitter)'},
                {'source': 'Malwarebytes (Bluesky)'},
                {'source': 'Gadgets 360'}],
 'response': {'communication_strategy': 'Official statement on X (Twitter) '
                                        'denying breach and advising users to '
                                        'ignore reset emails',
              'containment_measures': 'Fixed the issue allowing unauthorized '
                                      'password reset requests'},
 'threat_actor': 'Unknown hacker group',
 'title': 'Instagram Password Reset Request Incident',
 'type': 'Unauthorized Access Attempt',
 'vulnerability_exploited': 'System flaw allowing unauthorized password reset '
                            'requests'}