TL;DR
Meta says it has fixed a vulnerability that allowed external parties to trigger Instagram password reset emails and denies that its systems were breached or that user accounts were compromised. Malwarebytes published a claim — and a screenshot — alleging 17.5 million Instagram accounts’ data were stolen; reporting links that claim to a BreachForums dataset from an alleged 2024 API leak.
What happened
Last week security vendor Malwarebytes published an alert asserting that sensitive information tied to roughly 17.5 million Instagram accounts had been taken, accompanied by a screenshot of a password reset email. Instagram responded that it patched an issue that permitted an external party to request password reset emails for some accounts, and said there was no breach of its systems and that accounts remain secure. The Register reports that Malwarebytes' claim likely referred to a dump posted on BreachForums that purported to contain more than 17 million Instagram users’ personal information and alleged an API leak detected in 2024. Meta framed the incident as a fix to an implementation problem rather than evidence of system compromise, and told users they could ignore the unsolicited reset emails. Separate items in the same infosec roundup noted other security developments, including critical patches from Veeam and a major customer-data exposure at a U.S. gas-station operator.
Why it matters
- Password-reset mechanisms are a common target because they can be abused to gain account access without breaching core systems.
- Conflicting public claims and vendor denials can create uncertainty for users and incident responders about the scope and origin of exposed data.
- Public posts on data-leak sites can amplify risk and confusion even when a platform says its infrastructure was not compromised.
- Fixes to account recovery flows may close immediate abuse vectors, but verification of any leaked datasets is important to assess real user harm.
Key facts
- Instagram fixed an issue that allowed an external party to request password reset emails for some users.
- Instagram/Meta stated there was no breach of their systems and described user accounts as secure.
- Malwarebytes claimed that cybercriminals stole information for 17.5 million Instagram accounts and included a screenshot of a password reset email.
- The Register reports Malwarebytes likely referenced a dataset posted to BreachForums that purported to be a 17-million-plus Instagram data dump tied to an alleged 2024 API leak.
- Meta characterized the problem as an implementation issue that has been remediated and advised users to ignore the unsolicited reset emails.
- In the same roundup, Veeam patched four vulnerabilities, including CVE-2025-59470 which scored 9.0 on the CVSS scale.
- Gulshan Management Services (operator of Handi Plus/Handi Stop gas stations) disclosed exposure of 377,082 customer records after a phishing-related incident.
- Researchers from Nord Stellar reported dark-web posts offering to pay insiders to help breaching companies, highlighting insider-threat recruitment activity.
What to watch next
- Whether the dataset posted to BreachForums can be independently verified as originating from Instagram systems — not confirmed in the source
- Any official follow-up from Meta or regulatory bodies about root cause, affected accounts, or notification obligations — not confirmed in the source
- Reports of actual account takeovers or downstream misuse tied to the alleged dataset — not confirmed in the source
Quick glossary
- Password reset email: An automated message sent to an account’s registered contact address to allow a user to change or recover their password.
- API leak: Exposure of data due to flaws or misconfigurations in an application programming interface, which can permit unauthorized access to information.
- Ransomware: Malicious software that encrypts an organization’s systems or data and demands payment for restoration or decryption keys.
- Multi-factor authentication (MFA): A security process that requires two or more verification methods to grant access to an account, reducing reliance on passwords alone.
- Dark web: Parts of the internet not indexed by standard search engines where criminal marketplaces and data-leak forums sometimes operate.
Reader FAQ
Did Instagram confirm a data breach?
Instagram said it fixed an issue that allowed external parties to request password reset emails and stated there was no breach of its systems; reports of a leaked dataset were published by third parties and linked to a BreachForums post, per The Register.
Were user accounts stolen or compromised?
Instagram denied that accounts were compromised; Malwarebytes claimed 17.5 million accounts’ information was stolen, but independent verification is not provided in the source.
Should I act on unsolicited Instagram password reset emails?
Instagram advised users they can ignore those password reset emails.
Is there independent confirmation of the 17.5 million account dataset?
The source notes a likely connection to a BreachForums post claiming an earlier API leak, but independent verification of the dataset is not confirmed in the source.
SECURITY Meta admits to Instagram password reset mess, denies data leak PLUS: Veeam patches critical vuln; Crims bribing dark web insiders; UK school takedown; And more Brandon Vigliarolo Sun 11 Jan 2026 //…
Sources
- Meta admits to Instagram password reset mess, denies data leak
- Instagram denies breach amid claims of 17 million account …
- amid claims details of 17.5million accounts were leaked
- Did Instagram send you a password reset email without …
Related posts
- Google co-founders Sergey Brin and Larry Page may be exiting California
- Instagram says no breach after suspicious password reset emails circulated
- Interactive California Budget: Year-by-Year Revenue and Expenditure Projections