Instagram Denies Data Breach Despite Widespread Password Reset Emails
Instagram has refuted claims of a data breach after numerous users received legitimate password reset emails, which the platform attributed to an "external party" triggering the requests. The company assured users that no systems were compromised and that accounts remained secure. However, cybersecurity firm Malwarebytes contradicted Instagram’s statement, alleging that the emails were linked to a hack involving the theft of sensitive data from 17.5 million Instagram accounts. The stolen information reportedly includes usernames, physical addresses, phone numbers, and email addresses.
Malwarebytes referenced a hacker forum post advertising the sale of this data, claiming it originated from a 2024 leak. Some security researchers, however, suggest the dataset may be older, possibly compiled from publicly accessible information as far back as 2022. The incident has sparked debate over the true source of the breach and the extent of the exposed data. Instagram has not provided further details on the external party involved or the measures taken to prevent future incidents.
Source: https://www.bbc.com/news/articles/cdexdr08p05o
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
"id": "INS1768237717",
"linkid": "instagram",
"type": "Breach",
"date": "1/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million users (alleged)',
'industry': 'Technology / Social Media',
'location': 'Global',
'name': 'Instagram',
'size': 'Large (Meta-owned)',
'type': 'Social Media Platform'}],
'attack_vector': 'External manipulation of password reset system',
'customer_advisories': 'Users advised their accounts are secure; no action '
'required (per Instagram)',
'data_breach': {'data_exfiltration': 'Allegedly sold on hacker forum',
'number_of_records_exposed': '17.5 million (alleged)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (usernames, physical addresses, '
'phone numbers, email addresses)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'Instagram denied a data breach after many users received '
'emails prompting them to reset their passwords. The company '
'stated that an external party caused legitimate password '
'reset requests to be sent but insisted there was no breach of '
'its systems. However, cybersecurity firm Malwarebytes claimed '
'the emails were a result of a hack, with 17.5 million '
"Instagram accounts' sensitive data allegedly stolen and sold "
'on a hacker forum.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'confusion and distrust',
'data_compromised': 'Usernames, physical addresses, phone numbers, '
'email addresses',
'identity_theft_risk': 'High (PII exposed)',
'systems_affected': 'Instagram password reset system'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (alleged)'},
'investigation_status': 'Ongoing (disputed claims)',
'motivation': 'Financial gain (data sold on dark web)',
'post_incident_analysis': {'root_causes': 'External manipulation of password '
'reset system (resolved)'},
'references': [{'source': 'BBC News'},
{'source': 'Malwarebytes (X/Twitter post)'}],
'response': {'communication_strategy': 'Public denial of breach; assurance of '
'account security',
'containment_measures': 'Resolved the issue allowing external '
'manipulation of password reset '
'requests'},
'threat_actor': 'Cybercriminals (alleged)',
'title': 'Instagram Password Reset Emails Triggered by External Party',
'type': 'Data Exposure / Potential Breach'}