Instagram Addresses Mysterious Password Reset Emails Amid Data Breach Concerns
Instagram, owned by Meta, has responded to widespread reports of unexpected password reset emails sent to users over the weekend, which initially raised fears of a major data breach. The company confirmed that the emails were triggered by an external party exploiting a flaw in its system, not a security compromise.
Cybersecurity firm Malwarebytes had earlier claimed that the personal data of 17.5 million Instagram accounts including usernames, physical addresses, phone numbers, and email addresses had been stolen and was being sold on the dark web. However, Meta denied these allegations, stating that no breach occurred and that the issue allowing unauthorized password reset requests has since been resolved.
In a statement on X (formerly Twitter), Instagram clarified: “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems, and your Instagram accounts are secure. You can ignore those emails sorry for any confusion.”
The incident highlights ongoing concerns about platform vulnerabilities, even as Meta asserts that user accounts remain unaffected.
Source: https://www.the-sun.com/tech/15768243/instagram-speaks-out-password-reset-email-confusion/
Instagram TPRM report: https://www.rankiteo.com/company/instagram
"id": "ins1768224369",
"linkid": "instagram",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million accounts (alleged)',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'Instagram',
'size': 'Large',
'type': 'Social Media Platform'}],
'customer_advisories': 'Ignore the password reset emails; enable two-factor '
'authentication for account security.',
'data_breach': {'data_exfiltration': 'Alleged sale on dark web',
'number_of_records_exposed': '17.5 million (alleged)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Usernames',
'Physical addresses',
'Phone numbers',
'Email addresses']},
'description': 'Instagram sent unexpected password reset emails to users, '
'sparking fears of a data breach. Meta denied any breach, '
'attributing the emails to a flaw that allowed an external '
'party to trigger password reset emails, which has since been '
'fixed.',
'impact': {'brand_reputation_impact': 'Potential confusion and concern among '
'users',
'data_compromised': 'Usernames, physical addresses, phone numbers, '
'and email addresses (alleged)',
'identity_theft_risk': 'High (if data was exposed as alleged)',
'systems_affected': 'Instagram password reset system'},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged'},
'investigation_status': 'Resolved (flaw fixed)',
'post_incident_analysis': {'corrective_actions': 'Flaw fixed to prevent '
'external triggering of '
'password reset emails',
'root_causes': 'Flaw in password reset email '
'system'},
'recommendations': 'Enable two-factor authentication and set up a '
'verification selfie for account recovery.',
'references': [{'source': 'The US Sun'}, {'source': 'Malwarebytes'}],
'response': {'communication_strategy': 'Public statement on X (Twitter) '
'urging users to ignore the emails',
'containment_measures': 'Flaw fixed to prevent external '
'triggering of password reset emails'},
'title': 'Instagram Password Reset Email Incident',
'type': 'Potential Data Exposure',
'vulnerability_exploited': 'Flaw allowing external party to trigger password '
'reset emails'}