Overview
- Security researchers report a dataset of roughly 17–17.5 million Instagram records on BreachForums containing usernames, real names, email addresses, phone numbers and, in some cases, physical addresses.
- Instagram says its systems were not breached and that it has fixed a technical issue that let external parties trigger password‑reset emails for some users.
- Many users received unsolicited password‑reset emails in recent days, which Instagram says can be ignored if not requested by the account owner.
- The dataset’s provenance remains disputed, with researchers pointing to older or scraped data, while Meta rejects claims of a 2024 leak and suggests the trove may be previously reported, fabricated or public information.
- Consumer and security bodies advise ignoring reset links, changing passwords directly in the app, enabling two‑factor authentication with an authenticator app, checking exposure via services like Have I Been Pwned and monitoring login activity.