**Meta Fixes Instagram Password Reset Flaw, Denies Data Breach**

Meta, the parent company of Instagram, has recently fixed a vulnerability in the password reset process that allowed third-party entities to trigger reset emails. However, despite claims of leaked user data, Meta denies any breach and assures users that their Instagram accounts remain secure.

The issue, which was first reported by users on social media platforms, allowed an external party to request password reset emails for some individuals. In a statement released on X (formerly Twitter), Meta confirmed the fix and assured users that there was no breach of their systems.

"We fixed an issue that let an external party request password reset emails for some people," the company wrote. "There was no breach of our systems, and your Instagram accounts are secure." The statement also urged users to ignore any unsolicited password reset emails they may have received, apologizing for any confusion caused.

However, security experts warn that this is a serious privacy breach with real-world risks. According to Malwarebytes researchers, a sensitive database containing user data was recently put up for sale on a cybercrime forum, described as a "doxxing kit" affecting nearly 18 million Instagram users. The stolen data includes physical home addresses linked to Instagram user IDs.

The leaked dataset likely didn't come from Instagram profiles alone, but may have been combined with data from external sources such as marketing lists, data brokers, e-commerce platforms, or leaked customer records. This allows attackers to link online identities to physical addresses, posing a threat beyond spam or account takeovers.

This breach enables stalking, swatting, extortion, and identity theft, turning a digital privacy breach into a potential real-world safety risk. Have I Been Pwned (HIBP) also warned that a hacker shared a dataset of over 17 million records, including 6.2 million emails and other user data, allegedly scraped via an Instagram API.

"In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum," HIBP wrote in their post. "The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number."

While Meta denies any breach, security experts are warning users to remain vigilant and take steps to protect their online identity.

**Related Links:**

* Follow me on Twitter: @securityaffairs * Facebook: [link] * Mastodon: [link]

**Stay Secure:**

* Always be cautious when receiving unsolicited password reset emails. * Use strong and unique passwords for all accounts. * Enable two-factor authentication (2FA) whenever possible. * Keep your devices and software up-to-date with the latest security patches.

By staying informed and taking proactive steps to protect your online identity, you can minimize the risk of falling victim to a data breach or cyberattack.