Buzz about a potential Instagram data breach began spreading this week as numerous users took to forums and social media to report receiving password reset messages that they did not request, but Meta says that it is nothing to worry about.
Concerns were amplified due to recent reports of a dark web trove of data from 17 million Instagram user accounts surfacing at about the same time as the strange password reset emails appearing. Security researchers think that this trove is most likely comprised of old information that has been compiled, however, and it does not contain any login credentials.
Demystifying the Instagram password reset incident
The official word from Meta, via its main Instagram account, is that an “issue” that allowed third parties to request password resets for “some people” was fixed on January 11 and that users could safely ignore the strange password reset messages. They also reassured users that there is no new data breach and that accounts remain secure. However, that vague wording did not do much to quell speculation.
Security researchers have taken a deeper look at the trove of Instagram data that appeared on the dark web, shortly after the first password reset requests began coming in. They believe that it is most likely a compilation made up of information from older Instagram data breaches, and potentially some quantity of fake information mixed in. While not acknowledged or confirmed by Instagram, some researchers believe that the threat actors that posted the data may have tried password spraying attacks with it just prior to putting it up for sale on the dark web forum; that theory would lend credence to the idea that they found the information to be largely out of date or otherwise useless and decided to attempt selling it instead.
The 17 million data breach records contain basic account contact information: usernames, full names, user IDs, phone numbers and email addresses associated with the account, and partial locations to include country of origin. There is no indication that they contain any passwords or other authentication information. Instagram has about three billion active users worldwide, so the 17 million count represents just a fraction impacted at most (and that is before the possibility of some amount of the data being from fake or deactivated accounts).
Security experts tend to agree with Instagram that for most users this incident does not merit taking additional action such as changing passwords, but those that did receive a password reset message may want to enable 2FA for added security. Steven Swift, Managing Director, Suzu Labs, also believes that most Instagram users will not need to take any action: “There are two separate issues with the Instagram incident. One being that it was possible to initiate a password reset for other users (this one is reported as fixed) and separately, someone aggregated what appears to be old breach data into a new package. Neither of these are huge issues, though it will certainly make some users concerned. It’s going to be concerning for users to see someone else attempting a password reset. Note that this issue was limited to initiating a password reset. There’s no indication that attackers were able to actually complete a password change. Making this more of an annoyance rather than a major security threat.”
“So, what can users do about it? For this incident, not much. It doesn’t appear passwords were exposed, and the leak data was old. However, some general recommendations still apply. If you’re ever concerned after seeing suspicious activity on your account, any account, reset your password and double check that you have MFA in place. It’s generally better to be a bit cautious here. Use a password that you don’t use anywhere else. Ensure that its sufficiently long and/or complex. Save your passwords in a password manager,” added Swift.
Michael Bell, Founder & CEO, Suzu Labs, cautions that though there is nothing for most users to worry about, this is a prompt to review and change any re-used passwords: “Two separate issues hit at once. The dataset appears to be from a 2024 scraping or API exposure, while the password reset bug is a separate technical issue. No passwords in the leak sounds reassuring, but it doesn’t take much to fill that gap. Those 6 million email addresses can be cross-referenced against infostealer logs and existing credential dumps to find matching passwords. Most people reuse credentials somewhere along the line. Instagram users should enable MFA and make sure they didn’t use the same password a bunch of other places.”
No indications of any new data breach
In addition to Instagram’s denial, there are not any third party indications of a new data breach of the service at present. On the dark web forum, the hackers claimed that the records came from a 2024 API leak. This likely references a similar incident in November 2024, when hackers appeared on another dark web forum claiming to have abused a bug in the Instagram API to scrape some 489 million records of account information. The full accuracy of that claim remains unclear, though a sample of 100 user records posted by the hacker at the time appeared to contain some legitimate information.
Furthermore, analysis of the new 17 million record trove by security experts reveals that not every record contains even rudimentary sensitive contact information. All of the records contain the Instagram user ID, and the majority contain the username and full name. But less than half have email addresses, half that again contain phone numbers, and only about a tenth of the records have a physical address.
Setting aside the questionable legitimacy of the 2024 API abuse incident, there have been several prior cases of Instagram scraping that these supposed data breach records may have been drawn from. One was in 2022, though Meta never formally acknowledged that the incident took place. This was another case of the claim originating from data offered for sale on a dark web forum, in this case in May of that year. That incident also involved the same sort of basic account and contact information. Instagram also had an API bug exploited in 2017 that ended up leaking information from about six million users accounts, with those attackers focusing on getting information from celebrity accounts during the course of the data breach.
The account information comes from a threat actor calling itself Solonik, which has been on a recent spree of offering up large data dumps for sale purported to come from data breaches. This individual or group has not been tied to any specific prior data breaches, however, and may simply be specializing in repackaging old and stale information for sale.
John Carberry, Solution Sleuth at Xcape, thinks that the incident will have a negative impact on Instagram despite the information leak not being particularly concerning: “This incident underscores the blurring lines between a confirmed breach and large-scale data exposure, both of which erode user trust. Even if Instagram’s main systems weren’t breached, a vulnerability allowing mass password reset abuse can still lead to account takeovers and widespread social engineering. The presence of millions of email addresses and phone numbers in these datasets raises serious concerns about data aggregation from previous leaks, scraping activities, or API misuse. From a user’s perspective, the technical difference between a system breach and a massive API scrape is meaningless when their inbox is flooded with convincing reset links. Transparency regarding data origin is crucial, especially when free data releases facilitate abuse. This situation also emphasizes how reset mechanisms can be exploited if not carefully rate-limited and monitored. When platforms downplay failures, attackers fill the gap, and users pay the price.”
Tim Erlin, Security Strategist at Wallarm, adds: “One of the challenges with data breaches in general is that the impact is often disconnected from the actual incident. It’s hard for victims, both consumers and companies, to draw a causal link between an incident six months ago and the outcome today. APIs are designed to share data programmatically and at scale. A tool like that is a huge advantage for integration at internet scale, but also for attackers looking to harvest data. Protecting against data scraping at this scale is a critical component of any API security program. When APIs are designed to share data, detecting anomalies in how that data is being accessed is crucial. These are not exploits of a specific vulnerability, but abuse of an API.”
