**Instagram Denies Breach Amid Claims of 17 Million Account Data Leak**

In a statement, Instagram has denied that it was breached, despite claims that more than 17 million account profiles were leaked online. The alleged leak was sparked by a report from Malwarebytes, which warned its customers that cybercriminals had stolen data from 17.5 million accounts.

The shared data contains an extensive array of information, including phone numbers, user names, names, physical addresses, email addresses, and Instagram IDs. However, not all records contain the same amount of information, with some having as little as just an Instagram ID and a username.

Cybersecurity researchers on X claim that the scraped data is from a 2022 API scraping incident, but have not provided any clear evidence to confirm this. Meta, Instagram's parent company, told BleepingComputer that it is not aware of any API incidents in 2022 or 2024.

However, Instagram has previously suffered from API scraping incidents, such as a 2017 bug that was exploited to scrape and sell the personal information of an alleged 6 million accounts. It remains unclear whether the newly leaked Instagram data is a compilation of the 2017 leak and additional information from the past couple of years.

BleepingComputer contacted the person who leaked the Instagram information to confirm when it was stolen, but did not receive a response. Despite this, there is currently no evidence that this incident represents a new Instagram data breach.

Meta says it has fixed an issue that allowed external parties to mass-request password reset emails for some Instagram users. "We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure," a Meta spokesperson told BleepingComputer.

"People can disregard these emails and we apologize for any confusion this may have caused." While the leaked data does not contain passwords, it is recommended that users stay vigilant against targeted phishing, smishing (text phishing), and social engineering attacks that utilize this information.

Experts warn that threat actors often use leaked data to try to steal additional information, such as a user's password. If you receive an Instagram password reset email or text codes to your phone number and did not initiate an account recovery, then simply ignore and delete them.

If you do not have two-factor authentication enabled on your account, it is strongly recommended that you turn it on to increase your security. In light of this incident, Meta's spokesperson added: "We are continuously working to improve the security of our systems and protect our users' accounts."