Instagram asked millions to reset passwords, but Meta says it was just a bug

Emails were triggered by an API flaw, not a data breach

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

Ripple effect: Instagram users are no strangers to unsolicited warning emails and account takeover attempts. A recently reported incident, however, appears to stem from account data that was leaked online several years ago. While there may be little that is technically new, the associated risks remain relevant.

Is Instagram facing another coordinated cyberattack? Meta says no, despite reports that a large number of users are receiving emails urging them to reset their account passwords.

The situation gained attention after Malwarebytes alerted the security community to what it described as a possible data breach. According to the report, attackers had access to sensitive information associated with 17.5 million Instagram accounts, with usernames, physical addresses, phone numbers, email addresses, and other personal details allegedly circulating on underground forums.

Malwarebytes initially suggested the data was exfiltrated by exploiting a previously undisclosed API vulnerability. Instagram later confirmed that an API bug had existed, one that could be abused to mass-send password reset emails, but denied that any user data had been breached.

Meta said it has since fixed the bug, which it claimed affected only "some" users. As for the password reset emails themselves, the company advised recipients to ignore them, emphasizing that no passwords had been compromised.

// Related Stories

• Magician's implanted RFID chip is now useless after he forgets the password
• Instagram Reels went from TikTok clone to a $50 billion business for Meta

The claim that 17.5 million accounts were targeted is muddied by inconsistencies. Cybersecurity researchers now believe the data in question likely originated from an API scraping incident in 2022. Meta, for its part, says it detected no security incidents involving Instagram between 2022 and 2024.

A more plausible explanation points even further back. The data may trace its roots to a large-scale API-related breach from 2017 – one that Instagram eventually acknowledged. In that scenario, the "new" dataset circulating online would simply be a repackaging of previously leaked information. Notably, the data does not appear to include passwords.

While Instagram accounts are safe for now, users are still advised to be extra careful when dealing with any request to reset a password via email. If a reset wasn't requested, the safest option is to ignore it. Enabling additional protections such as two-factor authentication or passkeys remains one of the most effective ways to guard against these low-effort but persistent attacks.