Meta dismisses Instagram data leak claims after password reset scare rattles users

Meta has moved to calm fears of a massive Instagram data breach after reports claimed information linked to nearly 17 million accounts was being traded online. The company has insisted that its systems were never hacked and that no user accounts were compromised, even as thousands of users reported receiving unexpected password reset emails.

The situation escalated after cybersecurity firm Malwarebytes said it had found a database allegedly tied to around 17.5 million Instagram users being advertised on the dark web. The firm claimed the information on sale included usernames, email addresses, phone numbers and, in some cases, physical locations, raising concerns that the data could be used for scams or targeted phishing attacks.

Also read: AI complaints on Elon Musk-owned X surge in India after Grok Imagine rollout

In response, Meta issued a clarification, saying the panic was triggered by a technical loophole rather than a breach. A company spokesperson told Hindustan Times that an external party had exploited a flaw that allowed them to trigger password reset emails for some users, without gaining any access to Instagram’s internal systems.

“We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems, and people’s Instagram accounts remain secure,” the spokesperson said, adding that users who received such emails could safely ignore them. Meta also apologised for the confusion caused by the incident.

While Malwarebytes has stood by its claim that the dataset could expose users to online fraud, Meta has not acknowledged any loss of data from its servers. So far, there has been no independent confirmation that the information being offered online originated from Instagram’s own databases.

Also read: Maharashtra civic polls see ₹55 crore digital ad spend on Meta, Google

Security experts say incidents involving fake or mass-triggered password reset emails are not uncommon on large platforms and are often the result of automated abuse rather than hacking. Still, users are being advised to stay vigilant by enabling two-factor authentication, avoiding suspicious links and reviewing their account security settings. Changing passwords as a precautionary measure is also being recommended for those who received the alerts.

For now, Meta maintains that the issue has been contained and that Instagram’s global user base remains safe, even as the episode underscores how quickly digital security scares can spread in an era of heightened concern over online privacy.