US: Instagram has dismissed claims of a data breach following reports that thousands of users received unexpected password reset emails. The company said a technical glitch allowed a third party to trigger legitimate password reset requests, but stressed that its internal systems were not compromised and that user accounts remain secure.
Despite Instagram’s assurances, cybersecurity experts have raised concerns. Malwarebytes, a leading security firm, suggested the emails may be linked to a hacking incident. The firm alleged that personal information from 17.5 million Instagram accounts, including usernames, email addresses, phone numbers, and locations, could have been exposed. The claims gained significant attention online, with Malwarebytes’ post sharing an example of a reset email attracting over 2.3 million views.
Malwarebytes later told the BBC that the spike in password reset emails coincided with the sale of user data on a criminal forum. A seller on the forum claims to hold personal information from millions of Instagram accounts, reportedly from a leak dating back to 2024.
Not all experts agree, however. Some independent researchers argue that the dataset may not be new and could consist of publicly available information from Instagram profiles, such as names and locations, dating back to 2022.
The unexpected emails have left many users worried about account security. While the links in the messages appear to lead to genuine Instagram pages, experts advise caution.
Users are recommended to avoid clicking links in unexpected emails and instead use the official Instagram app or website to reset passwords and enable two-factor authentication.
