In response to the recent frequent receipt of password replacement mail by Instagram users, the Cybersecurity company Malwarebytes reported that more than 17.5 million Instagram users were suspected to have leaked sensitive information, including user names, geographical locations, telephone numbers, e-mails, etc. However, the official Instagram maintained that the system had not been invaded and that user accounts remained “safe”.
In his statement, Malwarebytes stated that the data were “sold on the net and could be misused by criminals”. In its e-mail to the client, Malwarebytes revealed that the discovery had its origin in conventional dark web scans, possibly related to the 2024 Instagram API interface exposure event. It was reported that leaking information could lead to serious threats such as fishing attacks or account hijackings. Instagram responded by ignoring the recently received replacement of the password. “We have repaired the issue of allowing external parties to apply for re-ciphered mail for some users, and it needs to be clarified that our system has not been invaded and that the user Instagram account remains secure. You can ignore the e-mails, and we apologize for the trouble.”
“Instagram data leaks” were widely reported in several media after the Malwarebytes warned clients. The data were allegedly released free of charge in various hacker forums, and the publishers claimed that the data originated from the unconfirmed disclosure of Instagram API in 2024. The complete data set contains 170,1713 account information covering telephone numbers, user names, names, addresses, mailboxes and Instagram IDs. Not every record, however, contains complete information, but in part only ID and user names.
Disclosing data composition:ID: 17,015,503 user names: 16,553,662 e-mails: 6,233,162 telephone numbers: 3,494,383 names: 12,418,006 addresses: 1,335,727 network safety researchers on X claimed but did not provide conclusive evidence of the 2022 atoms. Meta indicated to the media that no API security incidents were observed in 2022 or 2024. However, Instagram did have an API data crawling incident before, and in 2017 a loophole led to the theft and trafficking of about 6 million account personal information. It is not clear whether the latest leak data is a compilation of information leaked in 2017 and recent years.
Fortunately, the leaking data did not contain password information and therefore there was no need to change the password. Relevant experts have warned that users need to be alert to targeted fishing attacks using this information, SMS fraud and social engineering attacks. Unlawful elements often use data leaks to try to steal additional information such as passwords. If you receive a password that is not initiated by yourself to reset the e-mail or SMS authentication code, you simply ignore the deletion.
