Instagram Denies Breach After Reports of 17.5 Million Accounts Compromised
Instagram has refuted claims of a security breach after antivirus firm Malwarebytes alleged that cybercriminals stole sensitive data from 17.5 million user accounts. The incident came to light on Friday when Malwarebytes shared a screenshot of an Instagram password reset email on Bluesky, asserting that stolen data including usernames, physical addresses, phone numbers, and email addresses was being sold on the dark web.
In response, Instagram acknowledged on X (formerly Twitter) that an external party had exploited a technical flaw to trigger unauthorized password reset requests for some users. The company stated the issue had been resolved but did not disclose the identity of the threat actor or further details about the vulnerability. Instagram advised affected users to disregard the reset emails, attributing them to a temporary glitch.
The conflicting accounts highlight growing concerns over data exposure, with Malwarebytes warning that the compromised information could be weaponized for phishing, fraud, or targeted attacks. No official confirmation of a breach has been provided by Instagram beyond the acknowledgment of the password reset anomaly.
Source: https://dataconomy.com/2026/01/12/instagram-denies-data-breach-blames-reset-glitch/
Instagram TPRM report: https://www.rankiteo.com/company/instagram
"id": "ins1768217516",
"linkid": "instagram",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million accounts (alleged)',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'Instagram',
'size': 'Large',
'type': 'Social Media Platform'}],
'attack_vector': 'External party requesting password reset emails',
'customer_advisories': 'Users notified of password reset requests; advised to '
'ignore if unsolicited',
'data_breach': {'data_exfiltration': 'Yes (alleged sale on dark web)',
'number_of_records_exposed': '17.5 million (alleged)',
'personally_identifiable_information': 'Usernames, physical '
'addresses, phone '
'numbers, email '
'addresses',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'Instagram denied a security breach after users received '
'suspicious password reset requests, countering claims by '
'Malwarebytes that data from 17.5 million accounts was stolen. '
'Malwarebytes reported that sensitive information, including '
'usernames, physical addresses, phone numbers, and email '
'addresses, was compromised and is being sold on the dark web. '
'Instagram stated it fixed an issue allowing an external party '
'to request password reset emails for some users but provided '
'no further details.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'alleged data theft',
'data_compromised': 'Usernames, physical addresses, phone numbers, '
'email addresses',
'identity_theft_risk': 'High',
'systems_affected': 'Instagram password reset system'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (alleged)'},
'investigation_status': 'Ongoing',
'motivation': 'Data theft for sale on dark web',
'post_incident_analysis': {'corrective_actions': 'Issue fixed; no further '
'details provided',
'root_causes': 'Technical issue allowing external '
'password reset requests'},
'references': [{'source': 'Malwarebytes (Bluesky post)'},
{'source': 'Instagram (X/Twitter post)'}],
'response': {'communication_strategy': 'Public statement on X (Twitter) '
'advising users to ignore reset emails',
'containment_measures': 'Fixed issue allowing external password '
'reset requests'},
'stakeholder_advisories': 'Instagram advised users to ignore suspicious '
'password reset emails',
'threat_actor': 'Cybercriminals',
'title': 'Instagram Password Reset Request Issue and Alleged Data Theft',
'type': 'Data Breach Allegation'}