A wave of password‑reset emails prompted concerns after Malwarebytes reported a breach exposing data of approximately 17.5 million Instagram users. The alleged leak allegedly included usernames, physical addresses, phone numbers and email addresses, and the firm warned the information was already for sale on the dark web.Instagram responded on X that the issue was limited to an external party being able to trigger password‑reset requests, not a system breach, and assured users their accounts remain secure. The company said the emails can be ignored and urged users to enable two‑factor authentication and review logged‑in devices via Meta’s Accounts Center.

Security analysts view the incident as a reminder that API exposures, such as the 2024 Instagram API flaw cited by Malwarebytes, can create indirect attack vectors even without a direct data breach. Affected parties include the millions of users whose personal details were listed, advertisers relying on platform trust, and regulators monitoring Meta’s compliance with data‑protection laws. The episode underscores the importance of continuous dark‑web monitoring and rapid patch deployment to mitigate reputational risk for large social‑media firms.