Cybersecurity News Kinetic Potential

Instagram Fixes Password Reset Vulnerability Amid User Data Leak

Tue, 01/13/2026 - 08:57 / 0 Comments

Social media giant Meta on Sunday confirmed an Instagram password reset vulnerability but denied being breached, amid claims that Instagram users’ data has been leaked online.

The resolved vulnerability, the company said on X, allowed third parties to send password reset requests to Instagram users.

“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson told SecurityWeek.

While the company has not shared further details on the weakness, many users complained on X about receiving such emails.

Some users said they have been receiving them for a long time, others received them across multiple Meta products, while others said the recent messages were sent to a “mail list” and were ignored.

“We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused,” the spokesperson said.

Meta’s denial of a data breach came shortly after cybersecurity firm Malwarebytes notified its users that hackers had leaked online data associated with 17.5 million Instagram accounts.

“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” the company said on X.

Responding to Malwarebytes’ message, however, cybersecurity experts pointed out that the allegedly stolen information is not new, but rather part of a 2022 data leak. The same data was resurfaced by a threat actor in November 2024, the experts say.

On Sunday, data breach notification service Have I Been Pwned warned that a threat actor had indeed shared on a hacking forum a dataset containing more than 17 million entries.

The dataset contains 6.2 million email addresses. Usernames, display names, account IDs, geolocation data, and phone numbers were also leaked.

The data does not appear linked to the Instagram password reset issue and was allegedly obtained via an Instagram API.

“The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised,” Have I Been Pwned notes.

*Updated with statement from Meta.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
2 + 11 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts