iPhone lock screen showing password reset error with person looking concerned and city lights blurred behind
Posted inBreaking News Tech News

Instagram Denies Breach After 17.5M Account Claims

No CommentsPosted inBreaking News, Tech News

At a Glance

  • Instagram says no breach occurred despite viral reports of 17.5 million compromised accounts
  • Antivirus firm Malwarebytes claimed stolen data includes usernames, phone numbers, and addresses
  • Instagram admits only to a bug that let outsiders trigger password-reset emails
  • Why it matters: Users must decide whether to trust Instagram’s denial or take protective steps

Instagram is pushing back against claims that hackers stole sensitive data on 17.5 million accounts, insisting the viral alarm stems from a far smaller bug that merely let outsiders request password-reset emails.

Computer screen shows Instagram password reset email with apology message and coffee cup on desk

The dispute erupted Friday when cybersecurity company Malwarebytes posted on Bluesky. The firm shared a screenshot of an Instagram email notifying a user of a password-reset request and asserted that “cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.”

Malwarebytes added that the data “is available for sale on the dark web and can be abused by cybercriminals.”

Instagram responded hours later-on X, not its own platforms-with a brief statement: “We fixed an issue that let an external party request password reset emails for some people.”

The company offered no details about who triggered the emails or how the flaw worked. It closed the post with a three-word directive: “You can ignore those emails – sorry for any confusion.”

The conflicting narratives leave users caught between a antivirus vendor’s sweeping breach claim and a platform’s minimalist denial. Instagram’s statement does not address whether any data was actually accessed, nor does it explain why reset requests surged enough to spark widespread user alerts.

Malwarebytes has not released evidence tying the reset emails to a larger data theft, and Instagram has not shared logs that might disprove the breach. The standoff highlights a recurring pattern: security firms flag potential leaks, platforms downplay impact, and users scramble to assess risk.

For now, Instagram’s official guidance is simple-treat any unexpected reset notice as spam. Whether 17.5 million credentials are truly circulating online remains an open question that neither side has definitively settled.

Author

  • I am Jordan M. Lewis, a dedicated journalist and content creator passionate about keeping the City of Brotherly Love informed, engaged, and connected.

    Jordan M. Lewis became a journalist after documenting neighborhood change no one else would. A Temple University grad, he now covers housing and urban development for News of Philadelphia, reporting from Philly communities on how policy decisions reshape everyday life.
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *