After several Instagram users last week reported receiving unexpected password reset request emails, it has now been reported that a massive data breach may be behind it.
On Saturday evening (IST), cybersecurity firm Malwarebytes reported a massive data theft from the Meta-owned social media platform, claiming that the sensitive information of a whopping 17.5 million Instagram users had been compromised.
"Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more," Malwarebytes said, adding that the stolen data had been made available for sale on the dark web and could be "abused by cybercriminals".
As Malwarebytes reported the breach on its social media handles, many users jumped on to the company's posts and confirmed that they had indeed received password reset emails.
Troy Hunt, the creator of data breach tracker Have I been Pwned, also confirmed that he had received a password reset request email on his account recently.
"Who knows what the story is behind this? Scraping? Other?," he asked, sharing a post showing screenshots of the data leak.
Several others, including cybersecurity researchers, however, pointed out that Instagram had not been hacked recently and the data that is supposedly available on the dark web is from 2022, which was exposed in late 2024 through an API leak that bypassed standard security measures to scrape user profiles globally.
Cybersecurity newsletter International Cyber Digest said that the data that was reportedly leaked "appears to be from the Instagram 2024 API breach, in which 489 million records were obtained."
"Further analysis shows that the original file dump was created in 2022 and shared in 2023," the cybersecurity page added.
After even more analysis, International Cyber Digest shared an article from 2019, saying, "This leak might be older than initially thought, possibly including data from 2017, which explains the phone numbers and email addresses it contains."
Another cybersecurity and OSINT researcher, by the name of Seb on X, said, “The Instagram data leak file was created on 2022-06-20 10:37:22 and shared via a cloud service on 2023-03-24.”
However, Seb noted that the fresh development could be that the data, scraped earlier, was now being distributed.
What has Meta said?
Despite the report by Malwarebytes, Meta has not confirmed any data breach.
In a statement to Hindustan Times, a spokesperson for the Mark Zuckerberg-owned company said, "We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused."
However, the company has yet to publicly comment on the data breach report.
What are the potential risks?
Regardless of whether the data breach took place earlier or not, the leaking of sensitive personally identifiable information could still pose a risk for social media users.
Numerous Instagram users have already reported receiving password reset request emails.
Further, CyberPress reported that while the data leak did not appear to include passwords, the combination of users' emails and phone numbers could be sufficient for "SIM Swapping" attacks and/or attacks based on sophisticated social engineering where scammers can pose as Instagram support to trick victims into handing over two-factor authentication codes and login credentials.
What can you do?
While we await details on what actually took place, it's best to prioritize safety.
All Instagram users are advised to enable multi-factor authentication, preferably using an authenticator app than SMS-based code alerts.
Netizens are also strong advised to not give into any password reset request emails, unless they themselves specifically requested the same.
Users can also track their digital footprint and see if their data was stolen in this reported breach or any others before it.
To check your digital footprint and data leak history, you can head to Have I Been Pwned or Malwarebytes' digital footprint scanner.
Once there, you can key in your email address to get a list of all data breaches that have affected your account, and can take action accordingly.