See Full Article: https://securitybrief.asia/story/instagram-denies-breach-after-17m-user-records-leak
nstagram has rejected claims of a data breach after a large dataset said to relate to about 17 million accounts circulated on hacking forums, while the company confirmed it fixed a technical issue that allowed outsiders to trigger password reset emails at scale.
Security software vendor Malwarebytes said cybercriminals stole sensitive information from 17.5 million Instagram accounts. Instagram publicly denied that it suffered a data breach. At the same time, users and researchers discussed a dataset online that allegedly contained account information for roughly 17 million users.
Posts on hacking forums distributed the dataset for free. The forum post claimed the information came from an unconfirmed Instagram API leak in 2024.
The dataset included counts of unique values across several fields. It listed 17,015,503 IDs and 16,553,662 usernames. It included 6,233,162 email addresses and 3,494,383 phone numbers. The dataset also listed 12,418,006 names and 1,335,727 addresses.
Instagram acknowledged a technical issue that allowed an external party to trigger mass password reset emails for many users. Instagram said its systems were not breached and user accounts remained secure. Instagram said it fixed the bug that enabled the unauthorised reset requests.
Instagram also urged users to ignore unsolicited password reset emails unless they personally initiated the request. It also advised users to enable two-factor authentication and follow standard security precautions.
Two issues
Steven Swift, Managing Director at Suzu Labs, said the password reset behaviour and the dataset discussion pointed to separate problems.
"There are two separate issues with the Instagram incident. One being that it was possible to initiate a password reset for other users (this one is reported as fixed) and separately, someone aggregated what appears to be old breach data into a new package. Neither of these are huge issues, though it will certainly make some users concerned," said Steven Swift, Managing Director, Suzu Labs.
Swift said the reset email issue appeared limited in scope and effect, based on available information. "It's going to be concerning for users to see someone else attempting a password reset. Note that this issue was limited to initiating a password reset. There's no indication that attackers were able to actually complete a password change. Making this more of an annoyance rather than a major security threat," said Swift.
He also characterised the circulating dataset as a repackaging of older material. "For the data leak itself, this is old data. The only thing new here is that someone aggregated a bunch of leak data together and is now bragging about it. One of the unfortunate realities about using services on the internet, is that personal data tends to leak out of most services, eventually," said Swift.
Swift said users had limited recourse once personal information appears in public datasets. "Once the data is leaked, there's no way to put it back. If it's out, it's out," said Swift.
User actions
Swift advised users to focus on basic account hygiene and monitoring when they see unusual behaviour. "So, what can users do about it? For this incident, not much. It doesn't appear passwords were exposed, and the leak data was old. However, some general recommendations still apply," said Swift.
"If you're ever concerned after seeing suspicious activity on your account, any account, reset your password and double check that you have MFA in place. It's generally better to be a bit cautious here. Use a password that you don't use anywhere else. Ensure that its sufficiently long and/or complex. Save your passwords in a password manager," said Swift.
Michael Bell, Founder and CEO at Suzu Labs, said the two strands of the incident created risk even if the leaked dataset did not include passwords. "Two separate issues hit at once. The dataset appears to be from a 2024 scraping or API exposure, while the password reset bug is a separate technical issue. No passwords in the leak sounds reassuring, but it doesn't take much to fill that gap. Those 6 million email addresses can be cross-referenced against infostealer logs and existing credential dumps to find matching passwords. Most people reuse credentials somewhere along the line. Instagram users should enable MFA and make sure they didn't use the same password a bunch of other places," said Michael Bell, Founder & CEO, Suzu Labs.