Instagram has denied that its systems were breached, following reports that sensitive data linked to more than 17.5 million user accounts had been exposed to cybercriminals.
The issue came to public attention after Tech Digest reported on Thursday that millions of Instagram users were receiving suspicious password reset notifications, prompting concerns about a possible data leak. The report cited claims by cybersecurity firm Malwarebytes that personal information, including usernames, email addresses, phone numbers and physical addresses, had been compiled and offered for sale on the dark web.
In a post shared on Bluesky on Friday, Malwarebytes said the alleged dataset contained information tied to 17.5 million Instagram accounts and warned that the exposure could be exploited for phishing attacks, credential stuffing and account takeovers.
Instagram, which is owned by Meta Platforms, pushed back against the claims, saying there was no breach of its systems. In a statement posted on X, the company said it had “fixed an issue that allowed an external party to request password reset emails for some people.”
The company did not identify the external party involved or provide technical details about how the issue occurred, but said users who received the emails could safely ignore them.
“You can ignore those emails — sorry for any confusion,” Instagram said.
Meta has not commented on whether any user data was accessed or whether it is investigating the claims that information linked to Instagram accounts is circulating on the dark web.
