Overview
- Instagram said it fixed an issue that let an external party request legitimate reset emails, adding there was no compromise of its systems.
- Users across regions reported unexpected messages that looked authentic, and Instagram advised ignoring unsolicited reset emails from any source not verified as @mail.instagram.com.
- A dataset of 17,017,213 Instagram records is circulating on cybercrime forums with usernames, IDs, phone numbers, partial addresses and about 6.2 million email addresses, according to Have I Been Pwned and third-party analyses.
- Security researchers dispute the dataset’s origin, with Malwarebytes linking it to a 2024 API exposure while others, including Hackread, say it matches scraped data first seen in 2022; Meta says it is unaware of any such API incidents.
- No passwords are in the dataset, but experts warn attackers can use exposed contact details to run phishing and social‑engineering schemes, so users should enable app-based two-factor authentication and review logged-in devices.