Why millions got Instagram password reset emails but Meta says no hack

New Delhi: Instagram users across the world woke up to a familiar panic this week. Password reset emails. SMS codes. Alerts that felt wrong. Social media quickly filled with screenshots and fear, with many asking the same question. Was Instagram hacked again.

The confusion grew after reports claimed data from more than 17 million Instagram accounts had been leaked online. Cybersecurity firms flagged it, hackers bragged about it, and users were left guessing. Instagram, owned by Meta, moved fast to deny any fresh breach. But the story, like most cyber incidents, is a bit messy and far from black and white.

The noise started after Malwarebytes warned users that cybercriminals had access to data from around 17.5 million Instagram accounts. The dataset was shared freely on hacking forums. The person posting it claimed it came from a 2024 Instagram API leak.

Soon after, Instagram users began reporting password reset emails they never asked for. That timing made things worse. Many assumed the leaked data and the password emails were connected.

Instagram later admitted there was a bug. A Meta spokesperson said, "We fixed an issue that allowed an external party to request password reset emails for some Instagram users.” Meta also said there was no breach and accounts remained secure.

That statement calmed some nerves, but raised new questions.

Short answer. There is no proof of a new breach.

Security researchers and journalists dug deeper. What they found suggests the leaked dataset is old. Very old in internet years.

Several researchers on X pointed out that the same data appeared on forums as early as 2023. Some say it traces back to scraping incidents from 2022 or even earlier. Meta told BleepingComputer it is not aware of any API compromise in 2022 or 2024.

Instagram has a history here. In 2017, a bug allowed attackers to scrape personal details from about six million accounts. It is still unclear if the current dataset is a mix of that leak plus newer public data.

The leaked file is big. Over 17 million records. But it is uneven. Some entries only have a username and ID. Others have more.

Here is a simple breakdown of what was found.

Not every profile includes all this data. Many do not.

The dataset has now been added to Have I Been Pwned, which means users can check if their email appears in it.

Even if the data is old, the password reset flood was real.

Instagram confirmed it fixed a flaw that allowed someone to mass-request password reset emails. That does not mean attackers accessed accounts. It means they could trigger reset messages.

This kind of tactic often goes hand in hand with phishing. Attackers hope users panic, click fake links, or reply to scam messages pretending to be Instagram support.

Instagram says there is no need. No passwords were leaked.

Still, being careful never hurts.

Here is what users should do.

Attackers love recycled data. Even a five year old phone number can help them craft a convincing scam.

Hackers lie. A lot.

Add TV9 English As A Trusted Source

One security analyst put it bluntly online. Threat actors inflate numbers to get attention. Bigger leaks mean more clout. More fear. Sometimes more buyers.

In this case, one hacker repackaged an old dataset and sold it as new. The sample data matched files shared years ago. It worked. Panic followed.