Denies Breach Amid Claims Of 17 Million Account Data Leak Instagram

Instagram says it fixed a bug that allowed threat actors to mass-request password reset emails, amid claims that data from more than 17 million Instagram accounts was scraped and leaked online.

"We fixed an issue that allowed an external party to request password reset emails for some Instagram users," a Meta spokesperson told BleepingComputer.

"We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused."

A media frenzy over an alleged Instagram data breach began after Malwarebytes warned its customers that cybercriminals had stolen data from 17.5 million accounts.

This alleged Instagram data was released for free on numerous hacking forums, with the poster claiming it was gathered through an unconfirmed 2024 Instagram API leak.

In total, the shared data contains 17,017,213 Instagram account profiles, including phone numbers, user names, names, physical addresses, email addresses, and Instagram IDs.

Not all of this information is present for each record, with some containing as little as just an Instagram ID and a username.

Cybersecurity researchers on X claim [1, 2] that the scraped data is from a 2022 API scraping incident, but have not provided any clear evidence to confirm this.

Furthermore, Meta told BleepingComputer that it is not aware of any API incidents in 2022 or 2024.

However, Instagram has previously suffered from API scraping incidents, such as a 2017 bug that was exploited to scrape and sell the personal information of an alleged 6 million accounts.

Source: BleepingComputer