Major Instagram data breach: Did 17.5 million accounts just get exposed?

A new data leak reportedly may have compromised the personal information of 17.5 million Instagram users, raising concerns about account security on Meta platforms.

Cybersecurity firm Malwarebytes said the exposed data includes usernames, email addresses, phone numbers, physical addresses, and other sensitive details.

The company discovered the alleged leak during routine dark web monitoring and warned users about potential misuse, particularly through Instagram’s password reset process. Meta, however, has denied any Instagram data breach, assuring that user accounts remain secure.

Password reset emails raise concern

Last week, several Instagram users reported receiving unexpected password reset emails, prompting fears of a possible data breach. Malwarebytes linked this activity to the exposure of data associated with 17.5 million accounts worldwide.

“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” the firm said. “This data is available for sale on the dark web and can be abused by cybercriminals.”

Meta denies large-scale breach

Meta has dismissed claims of a major Instagram data breach. In a post on X, the company said the issue involved an external entity sending password reset requests, not unauthorized access to Instagram systems. Meta confirmed no accounts were compromised.

Users share concerns online

Despite Meta’s reassurances, users around the world reported receiving unexpected password reset emails.

One user wrote that they had been getting Meta emails about changing their password for the past two weeks, while another said they received a notice that their account had been accessed and immediately changed their password.

Malwarebytes had also issued similar warnings on Bluesky, claiming that the personal data of 17.5 million Instagram users had been stolen and was available on the dark web. 

Past breaches raise concerns

This is not the first time Meta apps faced data security issues. In 2021, Facebook reported data exposure affecting over 530 million users, though the company said it involved scraping of public profiles, not a breach.

Other social platforms, including X and LinkedIn, have also suffered large-scale breaches, collectively affecting billions of users. 

How to keep your Instagram account safe

Even if Meta says no accounts were compromised, it’s a good idea to review your security settings. Here are the key steps recommended by Instagram:

Two-factor authentication (2FA)

• Adds an extra layer of protection by requiring a code for logins from unrecognized devices.

• Creator accounts have 2FA turned on by default; check yours hasn’t been disabled.

Strong passwords

• Avoid using personal information or generic passwords.

• Use unique combinations of letters, numbers, and symbols.

• Consider a third-party password manager like LastPass or 1Password.

• Change passwords regularly and immediately if you suspect a compromise.

If your account is hacked

• Visit Instagram Hacked to regain access.

• Secure your email accounts, since they can be used to access Instagram.

Other safety tips

• Only authorise trusted third-party apps.

• Log out on shared devices and avoid saving login info on public computers.

Following these steps can significantly reduce the risk of account compromise and give you greater control over your Instagram security.