Last Friday, security software vendor Malwarebytes claimed “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts,” while Instagram has publicly denied that it suffered a data breach, even though a large dataset allegedly containing information from around 17 million accounts was being discussed online.
This alleged Instagram data was released on numerous hacking forums for free, with the post claiming it was gathered through an unconfirmed 2024 Instagram API leak.
The dataset contains the following counts of unique values:
- ID:17,015,503
- Username: 16,553,662
- Email:6,233,162
- Phone number:3,494,383
- Name: 12,418,006
- Address: 1,335,727
The social media company acknowledged a technical issue that allowed an external party to trigger mass password reset emails for many users but emphasized that its systems were not breached and user accounts remain secure. Instagram says it has already fixed the bug that enabled the unauthorized reset requests.
Instagram has urged users to ignore unsolicited password reset emails unless they personally initiated the request and to take standard security precautions such as enabling two-factor authentication.
Steven Swift, Managing Director, Suzu Labs had this to say:
“There are two separate issues with the Instagram incident. One being that it was possible to initiate a password reset for other users (this one is reported as fixed) and separately, someone aggregated what appears to be old breach data into a new package. Neither of these are huge issues, though it will certainly make some users concerned.
“It’s going to be concerning for users to see someone else attempting a password reset. Note that this issue was limited to initiating a password reset. There’s no indication that attackers were able to actually complete a password change. Making this more of an annoyance rather than a major security threat.
“For the data leak itself, this is old data. The only thing new here is that someone aggregated a bunch of leak data together and is now bragging about it. One of the unfortunate realities about using services on the internet, is that personal data tends to leak out of most services, eventually.
“Once the data is leaked, there’s no way to put it back. If it’s out, it’s out.
“So, what can users do about it? For this incident, not much. It doesn’t appear passwords were exposed, and the leak data was old. However, some general recommendations still apply.
“If you’re ever concerned after seeing suspicious activity on your account, any account, reset your password and double check that you have MFA in place. It’s generally better to be a bit cautious here. Use a password that you don’t use anywhere else. Ensure that its sufficiently long and/or complex. Save your passwords in a password manager.”
Michael Bell, Founder & CEO, Suzu Labs follows with this:
“Two separate issues hit at once. The dataset appears to be from a 2024 scraping or API exposure, while the password reset bug is a separate technical issue. No passwords in the leak sounds reassuring, but it doesn’t take much to fill that gap. Those 6 million email addresses can be cross-referenced against infostealer logs and existing credential dumps to find matching passwords. Most people reuse credentials somewhere along the line. Instagram users should enable MFA and make sure they didn’t use the same password a bunch of other places.”
John Carberry, Solution Sleuth, Xcape, Inc. adds this:
“The recent disclosure of 17.5 million Instagram user records highlights the ongoing tension between how companies define a “breach” and the actual risks faced by users. While Meta insists its central systems weren’t hacked, the appearance of this data on BreachForums demonstrates how a 2024 API “scraping” vulnerability can be just as harmful as a direct attack.
“This incident underscores the blurring lines between a confirmed breach and large-scale data exposure, both of which erode user trust. Even if Instagram’s main systems weren’t breached, a vulnerability allowing mass password reset abuse can still lead to account takeovers and widespread social engineering.
“The presence of millions of email addresses and phone numbers in these datasets raises serious concerns about data aggregation from previous leaks, scraping activities, or API misuse.
“From a user’s perspective, the technical difference between a system breach and a massive API scrape is meaningless when their inbox is flooded with convincing reset links. Transparency regarding data origin is crucial, especially when free data releases facilitate abuse. This situation also emphasizes how reset mechanisms can be exploited if not carefully rate-limited and monitored.
“When platforms downplay failures, attackers fill the gap, and users pay the price.”
The cynic in me says that Meta who owns Instagram doesn’t want to admit that they got pwned in some way. I guess we’ll have to see when people start getting pwned in various ways to prove or disprove if this is factual.
Like this:
Like Loading...
Related
This entry was posted on January 12, 2026 at 2:56 pm and is filed under Commentary with tags Instagram. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Instagram responds to allegations that it got pwned
Last Friday, security software vendor Malwarebytes claimed “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts,” while Instagram has publicly denied that it suffered a data breach, even though a large dataset allegedly containing information from around 17 million accounts was being discussed online.
This alleged Instagram data was released on numerous hacking forums for free, with the post claiming it was gathered through an unconfirmed 2024 Instagram API leak.
The dataset contains the following counts of unique values:
The social media company acknowledged a technical issue that allowed an external party to trigger mass password reset emails for many users but emphasized that its systems were not breached and user accounts remain secure. Instagram says it has already fixed the bug that enabled the unauthorized reset requests.
Instagram has urged users to ignore unsolicited password reset emails unless they personally initiated the request and to take standard security precautions such as enabling two-factor authentication.
Steven Swift, Managing Director, Suzu Labs had this to say:
“There are two separate issues with the Instagram incident. One being that it was possible to initiate a password reset for other users (this one is reported as fixed) and separately, someone aggregated what appears to be old breach data into a new package. Neither of these are huge issues, though it will certainly make some users concerned.
“It’s going to be concerning for users to see someone else attempting a password reset. Note that this issue was limited to initiating a password reset. There’s no indication that attackers were able to actually complete a password change. Making this more of an annoyance rather than a major security threat.
“For the data leak itself, this is old data. The only thing new here is that someone aggregated a bunch of leak data together and is now bragging about it. One of the unfortunate realities about using services on the internet, is that personal data tends to leak out of most services, eventually.
“Once the data is leaked, there’s no way to put it back. If it’s out, it’s out.
“So, what can users do about it? For this incident, not much. It doesn’t appear passwords were exposed, and the leak data was old. However, some general recommendations still apply.
“If you’re ever concerned after seeing suspicious activity on your account, any account, reset your password and double check that you have MFA in place. It’s generally better to be a bit cautious here. Use a password that you don’t use anywhere else. Ensure that its sufficiently long and/or complex. Save your passwords in a password manager.”
Michael Bell, Founder & CEO, Suzu Labs follows with this:
“Two separate issues hit at once. The dataset appears to be from a 2024 scraping or API exposure, while the password reset bug is a separate technical issue. No passwords in the leak sounds reassuring, but it doesn’t take much to fill that gap. Those 6 million email addresses can be cross-referenced against infostealer logs and existing credential dumps to find matching passwords. Most people reuse credentials somewhere along the line. Instagram users should enable MFA and make sure they didn’t use the same password a bunch of other places.”
John Carberry, Solution Sleuth, Xcape, Inc. adds this:
“The recent disclosure of 17.5 million Instagram user records highlights the ongoing tension between how companies define a “breach” and the actual risks faced by users. While Meta insists its central systems weren’t hacked, the appearance of this data on BreachForums demonstrates how a 2024 API “scraping” vulnerability can be just as harmful as a direct attack.
“This incident underscores the blurring lines between a confirmed breach and large-scale data exposure, both of which erode user trust. Even if Instagram’s main systems weren’t breached, a vulnerability allowing mass password reset abuse can still lead to account takeovers and widespread social engineering.
“The presence of millions of email addresses and phone numbers in these datasets raises serious concerns about data aggregation from previous leaks, scraping activities, or API misuse.
“From a user’s perspective, the technical difference between a system breach and a massive API scrape is meaningless when their inbox is flooded with convincing reset links. Transparency regarding data origin is crucial, especially when free data releases facilitate abuse. This situation also emphasizes how reset mechanisms can be exploited if not carefully rate-limited and monitored.
“When platforms downplay failures, attackers fill the gap, and users pay the price.”
The cynic in me says that Meta who owns Instagram doesn’t want to admit that they got pwned in some way. I guess we’ll have to see when people start getting pwned in various ways to prove or disprove if this is factual.
Share this:
Like this:
Related
This entry was posted on January 12, 2026 at 2:56 pm and is filed under Commentary with tags Instagram. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.