Overview
- Instagram said a technical flaw let an external party trigger password reset emails for some users and that accounts remain secure.
- Mashable verified that many messages came from a real Instagram address with legitimate links, though they did not appear in the app’s recent emails log.
- A seller using the handle Solonik listed roughly 17 million Instagram-related records on a dark-web forum that reportedly exclude passwords.
- Malwarebytes researchers say the dataset may compile older exposures or relate to separate account-spraying activity, and its origin is still being investigated.
- Security guidance urges users to ignore unsolicited reset emails, enable two-factor authentication, change passwords only in-app, and review active sessions.