• Instagram confirms account security and denies any breach
• Experts point to possible leak of millions of users’ data

Instagram denied that it had been subject to any data breach after a large number of users received emails prompting them to reset their account passwords.

The company clarified that it had resolved an issue that allowed "an external party" to send legitimate password reset requests to users, emphasizing that the platform’s systems were not breached and that accounts remain secure.

However, some experts questioned this explanation, with cybersecurity firm Malwarebytes claiming that the password reset emails were the result of an actual hack.

The firm stated in a post on X that “cybercriminals stole sensitive information from around 17.5 million Instagram accounts, including usernames, addresses, phone numbers, emails, and more,” attaching a screenshot of one of the password reset emails.

It added that the password reset emails were linked to the sale of personal data on a hacker forum, where the seller claimed to have the data of 17.5 million users.

The post claimed the data came from a “2024 leak,” while some security researchers suggested it was an old database compiled from publicly available information such as names and locations in 2022.

These emails, along with Malwarebytes’ warning, caused confusion and concern among thousands of social media users, some of whom feared the messages were phishing attempts to steal their information.

Instagram indicated that the links in the emails appeared legitimate and that the password reset steps users followed were safe, but it advised going directly to the app or website to change passwords and add extra layers of account protection.