Overview
- Instagram said it resolved an issue that let an external party trigger password‑reset emails and reiterated there was no breach of its systems.
- A dataset totaling 17,017,213 profile records is circulating on BreachForums from a poster using the handle “Solonnik,” with emails, phone numbers, usernames and partial addresses but no passwords.
- BleepingComputer and Hackread report the dataset appears to be repackaged scraping from 2022–2023 rather than a fresh 2026 compromise, a claim Meta also frames as inconsistent with any recent API incident.
- Security firms warn the exposed contact details can fuel phishing, smishing, SIM‑swap, doxxing and extortion attempts even without passwords.
- Users are advised to ignore unsolicited reset links, verify alerts in the app’s Emails from Instagram section, enable app‑based two‑factor authentication, and review logged‑in devices and third‑party access.