Last week, popular VPN maker NordVPN explained what seemingly went wrong as user data breach reports flooded the web.
Less than a week after that, Instagram, which is one of the most used social media apps, apparently went through a similar fate as cybersecurity and anti-malware firm Malwarebytes set off alarm bells on it a couple of days ago on January 9 when it alleged that cybercriminals had managed to steal the sensitive information of 17.5 million Instagram accounts. The company said the leaked user data included usernames, physical addresses, phone numbers, email addresses, and more, and warned that the data was purportedly already for sale on the dark web.
On its official Bluesky handle it wrote: "Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. ... This data is available for sale on the dark web and can be abused by cybercriminals."
The allegations were made as password reset and recovery mails from official Instagram support were sent out to users affected by this supposed data leak. As expected, the news raised questions about the scale of the incident since Malwarebytes stated that it affected 17.5 million users.
Following that, a day later Instagram responded to the reports saying that it managed to fix the issue. Across its various social media handles Meta told users that it resolved the problem which had allowed an external party to request password reset emails for users. It wrote: We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. .... You can ignore those emails ..."
Curiously, Instagram"s take on the matter appeared to be very different as it notes that the bug was affecting "some users" only, which is in sharp contrast to how Malwarebytes framed it.
Earlier today, breach-notification service Have I Been Pwned (HIPB) published its own advisory as it helps clarify the situation. Since Instagram denies any leak of user information in this particular incident, HIPB believes that the data breach of 17.5 million users that Malwarebytes earlier referred to is a separate incident even though the two incidents seem to overlap and coincide.
If you are wondering, recently a threat actor using the alias "Solonik" leaked what is claimed to be the compromised dataset of around 17.5 million user records formatted in JSON and TXT files. The dataset is titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” and as the name suggests, the information was seemingly harvested in late 2024 by scraping an Instagram API leak.
Thus it remains to be seen how things pan out as Instagram has not announced further measures beyond its initial clarification.
Source: Instagram, Malwarebytes, HIPB