Home / Technology
Instagram refutes breach after mass password reset emails
Instagram insist there was 'no breach of its systems,' yet questions persist
Instagram has denied experiencing a data breach after numerous users reported receiving emails requesting a password reset.
The company indicated it had addressed an issue where "an external party" caused the platform to issue authentic password reset emails to users.
Instagram assured users there was no breach of its systems and that their accounts remained secure.
However, some analysts have raised concerns, as cybersecurity firm Malwarebytes suggested that the password reset emails might have resulted from a security compromise.
"Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more" the firm claimed in a post on X, featuring a screenshot of an Instagram password reset email.
The company did not provide additional details, but the post has been viewed over 2.3 million times.
Malwarebytes informed the BBC that it suspects the password reset emails stem from ongoing private data sales on a hacker forum, where a cybercriminal alleges they possess personal data from 17.5 million Instagram accounts.
The advertisement suggests the data resulted from a "leak" that occurred in 2024.
But some security experts believe it might be from an earlier database compiled from publicly accessible information, like names and locations in 2022.
The combination of password reset emails and Malwarebytes' cautionary note has left many users on social media puzzled.
Instagram's clarification also raised further questions.
"We fixed an issue that let an external party request password reset emails for some people," the company said. There was no breach of our systems."
However, Instagram did not address the BBC's inquiries about the identity of the external party that could send genuine password reset emails on the company's behalf.
The emails sparked concern among some users on social media, who worried about potential scams or phishing efforts to collect more information.
Despite this, the links within the emails do not appear harmful, and the password reset process that users follow seems genuine.
The recommended approach remains to visit the main website or app directly to update passwords and enhance security.