Meta has confirmed that it recently fixed a vulnerability in Instagram’s password reset mechanism, while denying claims that its systems were breached, following reports that Instagram user data was leaked online.
In a statement posted on X on Sunday, Meta said the issue allowed third parties to trigger password reset emails for certain Instagram users.
“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson told SecurityWeek.
The company did not disclose technical details about the vulnerability, but numerous users reported on X that they had received unexpected password reset emails. Some said the messages had been arriving for an extended period, others reported receiving them across multiple Meta platforms, while some suggested the emails were sent to a broader mailing list and were ignored.
Meta emphasized that the issue did not involve a compromise of its systems.
“We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused,” the spokesperson said.
Meta’s statement followed claims by cybersecurity firm Malwarebytes, which warned users that data linked to 17.5 million Instagram accounts had been leaked online. According to Malwarebytes, the exposed information included usernames, physical addresses, phone numbers, email addresses, and other details.
However, cybersecurity experts responding to Malwarebytes’ alert noted that the data was not newly stolen, but appeared to originate from a 2022 Instagram data leak. The same dataset had reportedly resurfaced in November 2024, they said.
On Sunday, breach notification service Have I Been Pwned confirmed that a threat actor had shared a dataset containing more than 17 million records on a hacking forum. The dataset includes 6.2 million email addresses, along with usernames, display names, account IDs, geolocation data, and phone numbers.
Have I Been Pwned stated that the leaked data does not appear to be related to the recently fixed password reset issue and was likely obtained through Instagram’s API.
“The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised,” the service said.
