Instagram “Data Breach” Increasingly Looking Like Hoax; Password Resets Likely Triggered by Old Information

Reports of a new Instagram data breach several days ago are being walked back as it becomes increasingly likely that a mysterious wave of password reset requests was caused by a new dark web compilation of very old information.

Instagram has posted to say that there is no data breach and that the password resets are nothing to worry about. They did not provide much additional information, but security researchers are filling in the gaps. A new collection of 17 million Instagram records that just surfaced on the dark web was likely the trigger, but closer examination of it reveals that much of it is likely “stale” data taken from Instagram API abuse incidents dating back to 2017.

Evidence increasingly points to no new Instagram data breach

Between Instagram themselves and the reputable third-party security researchers examining the stolen data, it appears fairly safe to assume there is no new data breach of the service. The dark web post itself claims the stolen information comes from an API abuse incident that took place in 2024. This likely refers to a reported breach of the API in November 2024, but one that was never confirmed by Instagram. In that case, there was a similar post to a dark web forum claiming to have 489 million stolen records for sale.

Researchers have also found the stolen data seems to be limited to basic account and contact information, and each record varies in what it contains. All of the 17 million records have an Instagram user ID and most additionally have the username and full name of the account owner, but it varies greatly beyond that. Less than half have account email addresses, and even fewer have phone numbers. Only about 1.7 million have a physical address.

Researchers instead think these records come from much older Instagram data breaches involving unauthorized API abuse. Specifically, one from 2022 (that Meta also never confirmed) and another from 2017 that involved similar leaked data from about six million accounts. There may also be some quantity of errant or made-up information in the mix; the sales offer comes from a relatively unknown group that has been highly active in offering breach packages lately but does not have much of a history or reputation.

Should Instagram users bother with a password reset?

Instagram has thus far only said that “some people” were impacted by the password reset messages and that the issue was fixed on January 11. It advises that accounts remain secure, but is there any good reason to do a real password reset at this point?

The incident does serve as a good prompt to review personal passwords for re-use. While the attackers almost certainly did not get access to login information, it could be trivial to cross-reference the stolen data with passwords leaked in other data breaches.

The rash of password reset messages was likely the result of the group (or someone they associate with) privately trying out the cache of information before ultimately discovering that it is stale and putting it up for sale instead. 17 million Instagram users represents only a small amount of the estimated three billion total worldwide, so for most users this issue is likely safe to ignore.

The only users that may want to take action are those that received one of the odd password reset emails, not just to review for re-used credentials but also to enable 2FA as a precaution if it is not on already.