Meta Patches Instagram Password Reset Flaw Amid Data Leak Concerns
On January 11, 2026, Meta confirmed it had fixed a vulnerability in Instagram that allowed third parties to trigger unsolicited password reset emails for users. The company denied any system breach, stating that accounts remained secure and urging users to disregard the emails. However, the incident sparked widespread concern after nearly a million users reported receiving reset requests since January 10, 2026, fueling fears of a coordinated cyberattack.
While Meta maintained that no breach occurred, security researchers uncovered a separate issue: a database containing sensitive information on nearly 18 million Instagram users was found for sale on a cybercrime forum. Dubbed a "doxxing kit," the leaked data included Instagram user IDs linked to real names and physical home addresses details not typically exposed in standard profile scrapes. Experts believe attackers likely combined Instagram data with external sources, such as marketing lists or leaked customer records, to create the dataset.
The implications extend beyond digital privacy risks. By tying online identities to physical locations, the leak enables real-world threats, including stalking, swatting, extortion, and identity theft. Meanwhile, Have I Been Pwned (HIBP) reported that a hacker shared a dataset of over 17 million Instagram records, including 6.2 million email addresses, allegedly scraped via an Instagram API. While the data did not include passwords or other sensitive credentials, it contained usernames, display names, account IDs, and, in some cases, geolocation data.
Meta’s response emphasized that the password reset flaw and the scraped data were unrelated, despite their overlapping timelines. The company has not disclosed technical details about the vulnerability, leaving questions about the full scope of the incident.
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
"id": "INS1768245085",
"linkid": "instagram",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '18 million users (alleged), 1 '
'million users received password '
'reset emails',
'industry': 'Technology',
'location': 'Global',
'name': 'Meta (Instagram)',
'size': 'Large',
'type': 'Social Media Platform'}],
'attack_vector': 'Password Reset Flaw, API Scraping',
'customer_advisories': 'Public statement on X (Twitter) advising users to '
'ignore unsolicited password reset emails',
'data_breach': {'data_exfiltration': 'Yes (data sold on cybercrime forum)',
'number_of_records_exposed': '17 million (alleged), 6.2 '
'million emails',
'personally_identifiable_information': 'Yes (emails, phone '
'numbers, physical '
'addresses)',
'sensitivity_of_data': 'High (physical addresses, emails, '
'phone numbers)',
'type_of_data_compromised': 'Public Instagram information, '
'physical home addresses, emails, '
'phone numbers, geolocation data'},
'date_detected': '2026-01-10',
'date_publicly_disclosed': '2026-01-11',
'date_resolved': '2026-01-11',
'description': 'Meta fixed an Instagram password reset vulnerability that '
'allowed third parties to trigger reset emails. Despite claims '
'of leaked user data, Meta denied any breach of their systems. '
"However, a sensitive database described as a 'doxxing kit' "
'affecting nearly 18 million Instagram users was found for '
'sale on a cybercrime forum, including physical home addresses '
'linked to Instagram user IDs.',
'impact': {'brand_reputation_impact': 'Yes',
'customer_complaints': 'Yes',
'data_compromised': 'Usernames, display names, account IDs, '
'emails, phone numbers, physical home '
'addresses, geolocation data',
'identity_theft_risk': 'Yes',
'operational_impact': 'Confusion among users, unsolicited password '
'reset emails',
'systems_affected': 'Instagram password reset system, Instagram '
'API'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Instagram password reset flaw, '
'Instagram API'},
'investigation_status': 'Ongoing',
'motivation': 'Data Exfiltration, Financial Gain, Stalking/Swatting/Extortion',
'post_incident_analysis': {'corrective_actions': 'Fixed the password reset '
'flaw',
'root_causes': 'Instagram password reset '
'vulnerability, API scraping'},
'references': [{'date_accessed': '2026-01-12',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com'},
{'date_accessed': '2026-01-12',
'source': 'Have I Been Pwned (HIBP)'},
{'date_accessed': '2026-01-12', 'source': 'Malwarebytes'},
{'date_accessed': '2026-01-11',
'source': 'Instagram (X/Twitter)'}],
'response': {'communication_strategy': 'Public statement on X (Twitter), user '
'advisories',
'containment_measures': 'Fixed the password reset vulnerability',
'remediation_measures': 'Advised users to ignore unsolicited '
'password reset emails'},
'stakeholder_advisories': 'Users advised to ignore unsolicited password reset '
'emails',
'title': 'Instagram Password Reset Flaw and Alleged Data Leak',
'type': 'Vulnerability Exploitation, Data Leak',
'vulnerability_exploited': 'Instagram password reset vulnerability, Instagram '
'API scraping'}