Reports of a possible massive Instagram data leak have sparked widespread concern, while cybersecurity researchers and Meta have widely differed versions of what actually happened. While a security company claims millions of user records are offered for sale online, Meta insists its systems have not been compromised. These conflicting stories have left many users uncertain about the security of their accounts.
In brief
- Cybersecurity firm Malwarebytes says data linked to 17.5 million Instagram users has appeared for sale online, possibly linked to an API issue that occurred in 2024.
- Users have reported a wave of unsolicited password reset emails, fueling fears of account targeting and misuse of personal data.
- Meta has denied any breach, saying a technical incident triggered these emails and confirming that its systems were not compromised.
- Security experts warn that exposed data can still be used for phishing, scams and identity fraud, even without direct access to accounts.
Instagram users report flood of reset emails after data appears on dark web
Cybersecurity firm Malwarebytes reported that data associated with approximately 17.5 million Instagram users appeared for sale on underground sites. According to the company, the information exposed includes usernames, email addresses, phone numbers, physical addresses and other personal data. Malwarebytes specifies that these elements were identified during regular monitoring of the dark web and could be linked to API exposure dating back to 2024.
Shortly after the report was published, many Instagram users reported that they began receiving multiple password reset emails which they had not requested. This sudden influx has reignited fears of targeted attacks on accounts. Social media quickly filled with testimonies from users concerned about possible unauthorized access and misuse of their personal data.
Meta, Instagram's parent company, has rejected accusations of a data leak. The company explained that a technical issue temporarily allowed a third party to trigger password reset emails for certain accounts. Meta says the incident has since been corrected and insists its systems were not compromised. In a public communication, the group called on users to ignore these emails, ensuring that their accounts remain secure.
Leaked contact data can facilitate scams and account hijacking, experts say
Despite Meta's assurances, cybersecurity specialists stress that exposing personal data still carries significant risks. Even without direct access to Instagram accounts, malicious actors can exploit this information for fraudulent purposes. The leaked data is frequently used in phishing campaigns, identity theft or attempts to take over accounts on other online services.
Potential misuse of this information includes:
- Send credible phishing emails or messages using real usernames and contact details.
- Attempt password recovery on other services associated with the same email address or phone number.
- Impersonate affected users in order to defraud their subscribers.
- Harass people from disclosed physical addresses.
- Build detailed profiles for the purposes of identity fraud or financial scams.
Experts point out that receiving repeated password reset emails can be an early warning signal of malicious activity. Attackers often test known contact information to identify active or vulnerable accounts. Even in the absence of a confirmed breach, making personal data available increases the likelihood of successful attacks on other platforms.
User security in focus after renewed focus on Instagram data
Users are invited to adopt preventive measures to limit risks. Enabling two-factor authentication adds an extra layer of security by requiring a verification code when logging in. Professionals also recommend changing passwords regularly, especially when they are old or reused, and favoring unique identifiers for each service.
Increased vigilance is also recommended when faced with unexpected messages. Emails, text messages or private messages requesting personal information or urging urgent action should be approached with caution. Clicking on unknown links or passing verification codes can provide direct access to accounts.
This isn't the first time Meta has come under scrutiny regarding Instagram data. In November 2024, reports already suggested the appearance of nearly 489 million user records on a dark web platform. Although Meta has disputed these claims, the repetition of these types of incidents continues to fuel questions about the management and protection of user data online.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
