Instagram says some users have received suspicious password reset requests, but that it has not been compromised.
This seemingly contradicts a post by Friday Bluesky of antivirus software company Malwarebytes, who shared a screenshot of an email from Instagram notifying users of a password reset request. The post claims that “cybercriminals stole sensitive information from 17.5 million Instagram accounts, including usernames, addresses, phone numbers, email addresses, and more.”
Malwarebytes added that this data “is being sold on the dark web and could be exploited by cybercriminals.”
However, Instagram later posted (on X, not Instagram or Threads) that it had “fixed an issue that allowed external parties to request some people's password reset emails.”
The company did not provide details about the external parties or the specific issue, but the post concluded: “Please feel free to ignore these emails. We apologize for the confusion.”