Instagram Password Reset Scare Triggers Old Breach Fears, Meta Says Accounts Are Safe

“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” Malwarebytes said, warning that the data could be “abused by cybercriminals”.

As the post spread on social media, many Instagram users replied that they too had received password reset emails they never requested. Even Troy Hunt, founder of the popular breach-monitoring service Have I Been Pwned, confirmed that he had received one.

“Who knows what the story is behind this? Scraping? Other?,” he wrote while sharing screenshots linked to the alleged leak.

However, a deeper look by independent cybersecurity researchers paints a different picture. Multiple experts say Instagram has not suffered any fresh breach in recent days and that the dataset now circulating online appears to be several years old.

The International Cyber Digest newsletter said the leaked information “appears to be from the Instagram 2024 API breach, in which 489 million records were obtained.” According to its analysis, the data originated from an API vulnerability that allowed attackers to scrape public and semi-private user profiles on a massive scale.

“Further analysis shows that the original file dump was created in 2022 and shared in 2023,” the cybersecurity page added, suggesting that what is being promoted now is simply a recycled dataset.

Backing this up, OSINT researcher Seb posted on X that, “The Instagram data leak file was created on 2022-06-20 10:37:22 and shared via a cloud service on 2023-03-24.” He added that while there is no sign of a new hack, the data may be getting redistributed, which explains why it is resurfacing now.

Some analysts even believe parts of the data could be older still. International Cyber Digest pointed to a 2019 article, stating, “This leak might be older than initially thought, possibly including data from 2017, which explains the phone numbers and email addresses it contains.”

So why did people suddenly start getting password reset emails?

Meta says it was due to a technical issue, not a hack. In a statement to a famous publication, a company spokesperson said, “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused.”

So far, Meta has not confirmed any new data breach related to the Malwarebytes report.

Even if the data is old, the risks are still real. CyberPress warned that while passwords were not included, leaked phone numbers and email addresses can be used for SIM swapping or sophisticated social engineering. In such attacks, scammers pose as Instagram support and trick users into revealing two-factor authentication codes or login details.

To stay safe, users should enable multi-factor authentication, ideally using an authenticator app instead of SMS. It’s also important not to click on password reset emails unless you personally requested them.

Users can also check whether their information has appeared in past leaks by entering their email address on services like Have I Been Pwned or Malwarebytes’ digital footprint scanner. Even old data in the wrong hands can cause new trouble, making vigilance more important than ever.