Instagram Faces Security Concerns Amid Password Reset Errors and Alleged Data Leak
Meta has confirmed that recent password reset emails sent to some Instagram users were triggered by an error, not a security breach. The company stated that an external party exploited a flaw to send these emails, but no accounts were compromised. Users were advised to disregard the messages, which Meta attributed to a technical issue now resolved.
Meanwhile, cybersecurity firm Malwarebytes reported that data from 17.5 million Instagram accounts including usernames, emails, phone numbers, and addresses had surfaced on hacking forums. Researchers suggest the leak may stem from a 2024 API vulnerability, though some believe it originated from a 2022 scraping incident. Meta, however, denies any recent or past API breaches.
The authenticity of the leaked data raises concerns, as cybercriminals could use it for phishing attacks, impersonating Meta to steal login credentials. While the exact source of the leak remains disputed, the exposure of real user data underscores ongoing risks in social media security.
The incident follows broader tensions, including Russia’s recent ban on Instagram, further complicating Meta’s operations in the region.
Instagram TPRM report: https://www.rankiteo.com/company/instagram
"id": "ins1768216763",
"linkid": "instagram",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million users',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'Instagram',
'size': 'Large',
'type': 'Social Media Platform'}],
'attack_vector': 'API Exploitation (alleged)',
'customer_advisories': 'Users advised to disregard unsolicited password reset '
'emails and verify information directly on Meta sites.',
'data_breach': {'data_exfiltration': 'Yes (shared on hacking forums)',
'number_of_records_exposed': '17.5 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII)',
'type_of_data_compromised': ['User IDs',
'Usernames',
'Email accounts',
'Phone numbers',
'Names',
'Postal addresses']},
'description': 'Meta reported that Instagram password reset emails were '
'triggered by an error, not a breach. However, Malwarebytes '
'reported 17.5 million account details leaked, possibly from '
'past API incidents (2022 or 2024). Hackers sharing authentic '
'data heightens phishing risks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'phishing risks',
'data_compromised': '17.5 million accounts',
'identity_theft_risk': 'High',
'systems_affected': ['Instagram API']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'investigation_status': 'Ongoing (disputed origin of leaked data)',
'lessons_learned': 'Need for stricter API security and user verification '
'processes to prevent phishing risks.',
'motivation': ['Data Theft', 'Phishing'],
'post_incident_analysis': {'corrective_actions': ['Fixed password reset email '
'trigger issue',
'Enhanced API security '
'measures (alleged)'],
'root_causes': ['Alleged API misconfiguration',
'Potential past data scraping '
'incidents']},
'recommendations': 'Users should ignore unsolicited password reset emails and '
'verify information directly on Meta platforms. Enhanced '
'API monitoring and access controls are recommended.',
'references': [{'source': 'BleepingComputer'},
{'source': 'TechRadar'},
{'source': 'Malwarebytes'}],
'response': {'communication_strategy': 'Public statement reassuring users of '
'no breach',
'containment_measures': 'Fixed issue allowing unauthorized '
'password reset emails'},
'stakeholder_advisories': 'Meta reassured stakeholders that no breach '
'occurred and accounts remain secure.',
'title': 'Instagram Password Reset Emails Triggered by Error, Not a Breach',
'type': ['Data Leak', 'Phishing Risk'],
'vulnerability_exploited': 'API Misconfiguration (alleged)'}