Instagram says it fixed a bug that allowed threat actors to mass-request password reset emails, amid claims that data from more than 17 million Instagram accounts was scraped and leaked online.
“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson told BleepingComputer.
“We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused.”
A media frenzy over an alleged Instagram data breach began after Malwarebytes warned its customers that cybercriminals had stolen data from 17.5 million accounts.
This alleged Instagram data was released for free on numerous hacking forums, with the poster claiming it was gathered through an unconfirmed 2024 Instagram API leak.
In total, the shared data contains 17,017,213 Instagram account profiles, including phone numbers, user names, names, physical addresses, email addresses, and Instagram IDs.
The dataset contains the following counts of unique values:
- ID: 17,015,503
- Username: 16,553,662
- Email: 6,233,162
- Phone number: 3,494,383
- Name: 12,418,006
- Address: 1,335,727
Not all of this information is present for each record, with some containing as little as just an Instagram ID and a username.
Cybersecurity researchers on X claim [1, 2] that the scraped data is from a 2022 API scraping incident, but have not provided any clear evidence to confirm this.
Furthermore, Meta told BleepingComputer that it is not aware of any API incidents in 2022 or 2024.
However, Instagram has previously suffered from API scraping incidents, such as a 2017 bug that was exploited to scrape and sell the personal information of an alleged 6 million accounts.
It is not clear whether the newly leaked Instagram data is a compilation of the 2017 leak and additional information from the past couple of years.
BleepingComputer contacted the person who leaked the Instagram information to confirm when it was stolen, but did not receive a response.
Instagram denies a breach
There is currently no evidence that this incident represents a new Instagram data breach. Meta says it is not aware of any API compromises in 2022 or 2024 and that there has not been a new breach.
Furthermore, researchers have not provided proof that the leaked dataset was obtained through a recent vulnerability.
Instead, the information suggests the data may be a compilation of previously scraped information from multiple sources over several years.
The good news is that this leaked data does not contain passwords, so there is no need to change them.
However, people do need to stay vigilant against targeted phishing, smishing (text phishing), and social engineering attacks that utilize this information.
It is common for threat actors to use leaked data to try to steal additional information, such as a user’s password.
If you receive an Instagram password reset email or text codes to your phone number and did not initiate an account recovery, then simply ignore and delete them.
If you do not have two-factor authentication enabled on your account, it is strongly recommended that you turn it on to increase your security.
Update 1/11/26: Added unique data values.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.