Meta Clarifies Instagram Data Leak Rumors Involving 17.5 Million Accounts

TIG SEA3 weeks ago

182 1 minute read

Concerns have spread among Instagram users worldwide after many reported receiving repeated password reset emails over the past few days. The situation escalated following claims from cybersecurity observers that personal data from as many as 17.5 million Instagram accounts had appeared for sale on dark web marketplaces. The alleged data reportedly included usernames, real names, email addresses, phone numbers, and partial location details.

Cybersecurity firm Malwarebytes first brought attention to the issue via social media, stating that a hacker using the alias Solonnik had shared the dataset on BreachForums. According to the report, the information may have originated from an Instagram API exposure dating back to 2024, but was only recently circulated more widely. This coincided with an unusual surge in password reset emails being sent to users.

In response, Meta issued an official statement to calm concerns, firmly denying that Instagram’s systems had been breached. A Meta spokesperson explained that the reset email wave was caused by a workflow issue that allowed third parties to trigger password reset requests using known email addresses. The company confirmed that the flaw has already been fixed and emphasized that user accounts remain secure. Users were advised that they could safely ignore the unsolicited reset emails.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026

Despite Meta’s assurance, security experts noted that the reset emails themselves were legitimate messages sent from Instagram’s system. This suggests that attackers may be leveraging previously leaked email data to create confusion or pressure users into making mistakes. Such tactics can increase the risk of phishing, especially if users are tricked into clicking fraudulent links outside the official app.

To stay protected, users are encouraged to check whether their email addresses have appeared in known data breaches through services like HaveIBeenPwned. Enabling two-factor authentication, using strong and unique passwords, and staying alert to suspicious messages remain essential steps in maintaining account security.

For anyone receiving unexpected password reset emails, the safest approach is to open the Instagram app directly, navigate to Settings and Privacy, then access the Accounts Center and Password and Security section to review official security notifications. This helps confirm whether the messages are genuine and ensures that no unauthorized changes have been made.

Source: DailyMail