Social media giant Meta on Sunday confirmed an Instagram password reset vulnerability but denied being breached, amid claims that Instagram users’ data has been leaked online.
The resolved vulnerability, the company said on X, allowed third parties to send password reset requests to Instagram users.
“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson told SecurityWeek.
While the company has not shared further details on the weakness, many users complained on X about receiving such emails.
Some users said they have been receiving them for a long time, others received them across multiple Meta products, while others said the recent messages were sent to a “mail list” and were ignored.
“We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused,” the spokesperson said.
Meta’s denial of a data breach came shortly after cybersecurity firm Malwarebytes notified its users that hackers had leaked online data associated with 17.5 million Instagram accounts.
“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” the company said on X.
Responding to Malwarebytes’ message, however, cybersecurity experts pointed out that the allegedly stolen information is not new, but rather part of a 2022 data leak. The same data was resurfaced by a threat actor in November 2024, the experts say.
On Sunday, data breach notification service Have I Been Pwned warned that a threat actor had indeed shared on a hacking forum a dataset containing more than 17 million entries.
The dataset contains 6.2 million email addresses. Usernames, display names, account IDs, geolocation data, and phone numbers were also leaked.
The data does not appear linked to the Instagram password reset issue and was allegedly obtained via an Instagram API.
“The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised,” Have I Been Pwned notes.
*Updated with statement from Meta.
Related: 377,000 Impacted by Data Breach at Texas Gas Station Firm
Related: Dozens of Major Data Breaches Linked to Single Threat Actor
Related: Covenant Health Data Breach Impacts 478,000 Individuals
Related: Top US Accounting Firm Sax Discloses 2024 Data Breach Impacting 220,000
