Overview
- Meta said it resolved a flaw that let an external party trigger Instagram password‑reset emails and reiterated there was no breach of its systems.
- Users worldwide reported unsolicited reset messages over the past two days, prompting confusion about account compromise.
- Malwarebytes and other researchers pointed to a trove of roughly 17–17.5 million records posted on hacking forums with emails, phone numbers and partial or physical addresses, but no passwords.
- Analysts say the dataset likely draws on earlier API scraping incidents rather than a fresh intrusion, with portions reportedly traded or offered in batches.
- Security guidance urges verifying messages via the app, enabling app‑based two‑factor authentication, avoiding links in emails, reviewing logged‑in devices, and updating unique passwords.