In recent hours, a climate of uncertainty has surrounded millions of Instagram users, trapped in a complex back-and-forth between the social media giant and cybersecurity experts.
The central issue revolves around an abnormal surge of password reset emails received by numerous users, a phenomenon that immediately raised fears of a large-scale data breach.
Meta, the parent company of Instagram, has stepped in to confirm the existence of a technical fault in its service, but has categorically denied that such a disruption led to theft of personal information, effectively denying the alarming statements spread by third parties.
Instagram: problems with password reset requests but no data theft
Everything began when several users started reporting receipt of official emails from Instagram inviting them to reset their login credentials, even though they had not requested it. The situation had become so serious that it forced the company to break its silence.
Last Saturday, through a post published curiously on X (the former Twitter) rather than on its own platforms such as Threads or Instagram itself, the company admitted the incident. In the statement, the company explained that it had fixed a problem that allowed an external party to trigger password reset emails for some users.
The Instagram message aims to reassure the user base, explicitly stating that there has been no internal systems breach and that accounts remain secure.
The directive given to users was simple and direct: ignore those emails, apologizing for the confusion caused.
However, the brief nature of the statement and the lack of specific details about who this “external party” was or the technical nature of the bug left room for conflicting interpretations and growing concerns.
Malwarebytes’ warning
The reassurance from Meta clashes head-on with a much more alarming report released last Friday by Malwarebytes, a well-known cybersecurity software provider.
In a post on the Bluesky social platform, Malwarebytes shared a screenshot of one of the incriminated reset emails, accompanying it with a statement that paints a far more serious scenario than a simple technical glitch.
According to the security company, cybercriminals would have stolen the sensitive information of as many as 17.5 million Instagram accounts.
The data would presumably include not only usernames, but also physical addresses, phone numbers, email addresses and other personal information.
Malwarebytes also added that such a database is currently available for sale on the dark web, ready to be abused by malicious actors for fraud or identity theft. This narrative suggests that the reset emails were not a simple system error, but the visible symptom of a coordinated attack or the result of an attempt to exploit data that had already been exfiltrated.
The data context and the “BreachForums” hypothesis
According to reports compiled by specialized outlets such as The Register, it is likely that Malwarebytes was referring to a dataset appearing on the well-known leak site BreachForums.
On that platform, a user recently published an archive containing the personal information of over 17 million Instagram users, claiming that this data was the result of a data leak via API detected during 2024.
This detail is crucial to interpreting what happened: it is possible that the two events are technically distinct but temporally overlapping.
On the one hand, the bug fixed by Meta that generated the reset emails; on the other, the circulation of a database (perhaps old or the result of earlier scraping) that led security analysts to wrongly connect the reset emails to a new, large-scale breach of Instagram’s systems.
Although Meta insists that its systems were not breached on this occasion, the presence of such data on the digital black market keeps the focus on user information security, leaving open the question about the real origin of that million-record database.
