Instagram fixes password reset bug as alleged leak of 17 million accounts circulates online
Instagram has fixed a software flaw that allowed outside actors to trigger large volumes of password reset emails, as unverified claims circulated online that personal data tied to more than 17 million accounts had been scraped and released.
The company said the issue enabled an external party to request password reset emails for some users but did not involve unauthorized access to Instagram’s systems or accounts. Instagram emphasized that user accounts remain secure and that the emails can be safely ignored.
The incident drew widespread attention after warnings circulated that data from approximately 17.5 million Instagram accounts had been obtained by cybercriminals and shared publicly. The dataset was posted for free across multiple hacking forums, with the individual who shared it claiming the information originated from an Instagram application programming interface leak that allegedly occurred in 2024.
The exposed dataset contains more than 17 million Instagram profiles and includes a mix of personal and account-related details. These records include Instagram IDs, usernames, names, email addresses, phone numbers, and physical addresses, though not every record contains all fields. Some entries consist only of an account ID and username.
A breakdown of the data shows more than 17 million unique Instagram IDs, over 16.5 million usernames, about 6.2 million email addresses, nearly 3.5 million phone numbers, more than 12.4 million names, and roughly 1.3 million physical addresses.
Security researchers have suggested the data may not be the result of a recent incident and could instead stem from older scraping activity, potentially dating back several years. No technical evidence has been provided to confirm that the information was obtained through a new vulnerability. Instagram said it is not aware of any API compromises in either 2022 or 2024 and stated that there has been no new data breach.
Instagram has previously faced API scraping incidents, including a 2017 flaw that was exploited to collect and sell personal information linked to millions of accounts. It remains unclear whether the newly circulated dataset is a repackaging of older scraped data combined with information gathered from other sources over time.
There is currently no indication that account passwords were exposed as part of the leaked information. As a result, users are not being advised to change their passwords solely because of this incident.
Related Articles
Most Viewed
New rules, rising threats: why lean IT teams must rethink cyber-securitySponsored by CORO CYBER SECURITY
Don’t allow AI experiments to become quiet business risksSponsored by alice.io
The Expert View: Securing the AI-Driven WorldSponsored by Checkpoint
The Expert View: Reducing cyber-risk across OT and critical infrastructureSponsored by Claroty
The Expert View: Transforming security through risk intelligenceSponsored by Obrela
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2025, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543