Instagram Addresses Password Reset Email Panic, Denies Data Breach

After a surge of unexpected password reset notifications raised concerns about a broad Instagram account hack, the social giant took action to reassure users.

The company insists there was no breach and says it has already fixed the underlying issue.

Unsolicited Password Change Emails Create Concern

A large number of Instagram users have expressed concern regarding the number of emails they have received on their Instagram accounts that they did not request.

Users received emails purportedly from Instagram with notice that they had requested a password change and indicating that they must either change the password through the email or continue to be able to log into their Instagram account as usual.

Even with these explanations, users grew alarmed as social media filled with reports of the same unsolicited emails.

Malwarebytes Raises Dark Web Concerns

Cybersecurity firm Malwarebytes has sounded the alarm after its dark web monitors spotted 17.5 million Instagram accounts up for sale. The company found the data during its routine surveillance of underground markets.

The records reportedly collected from these accounts included usernames, email addresses, phone numbers, and physical addresses (in some cases).

They suggested that these may have come from a leak in 2024 when an Instagram API exposed data.

They also indicated that if the data were authentic, the data would allow for phishing attempts or impersonation of an account, or for someone to take over an account by giving them access to it.

Instagram Denies Breach, Cites Technical Flaw

Instagram released a statement via their X account, stating that there had been no breach of their systems. The infamous free photo and short videos sharing platform assured users that their accounts are safe and stated that there has been no compromise of passwords.

Instagram went on to explain that due to a technical issue, someone was able to use their system to initiate a reset email from the Instagram system without gaining access to any individual’s account. Instagram confirmed it has fixed the technical issue and apologized for the confusion it caused.

The social giant did not disclose who initiated the reset email request or how this technical issue was exploited.

What Users Should Know and Do Next

The social media company Instagram has advised users that its only source of legitimate security emails is any address ending in @mail.instagram.com.

Instagram advises that a password reset request alone doesn’t mean you’ve been hacked. Security experts at TorNews.com and other firms continue to encourage the following to their users:

• Never click on links in unsolicited emails.
• Turn on two-factor verification for their account.
• Make secure, one-of-a-kind passwords for every social media account.
• Review account activity on their Instagram account regularly, through Meta’s Accounts Center for further information.

Whether faced with a platform glitch or a confirmed breach, the core principles of response remain the same. For a comprehensive, step-by-step action plan if you think your data is exposed, follow our essential guide on critical steps to follow if your data is found on the dark web.

So, while Instagram indicates that there was no data breach with this incident, it is proof that even small things like technical errors will reduce your confidence in your social media accounts, at a time when large-scale cyberattacks on major institutions are rampant. Just recently, hackers claimed to have breached HSBC USA in a dark web post. That was a claim the bank firmly denied, which showcases the constant cycle of claims, counter-claims, and heightened public anxiety that defines the current security landscape.