HomeNewsBreachesAbout
Account

Meta Denies Instagram Breach After Password Reset Panic

DataBreach.com Team · · January 11th 2026, 9:45 am EST

Meta Denies Instagram Breach After Password Reset Panic

Conflicting narratives emerged this week regarding the security of Instagram’s user data, with cybersecurity firm Malwarebytes claiming a massive dataset has hit the dark web, while Meta maintains its internal systems remain uncompromised.

The incident has caused widespread confusion among the platform’s user base, millions of whom were subjected to a wave of unprompted password reset emails between January 9 and January 11. While security researchers point to a resurfaced API leak as the culprit, Instagram’s parent company attributes the chaos to a bug.

Meta Responses: "No Breach"

Following days of user complaints regarding the spam-like password reset notifications, Meta’s communications team issued a statement early Sunday attempting to quell fears of a direct hack.

Writing via their official X (formerly Twitter) handle, the company stated:

The statement characterizes the incident not as a data exfiltration event, but as an abuse of the platform’s account recovery tools.

The Malwarebytes Report

Despite Meta's assurances, Malwarebytes has issued a distinct warning regarding a dataset they discovered circulating on the cybercrime marketplace BreachForums.

According to the security firm, a threat actor operating under the alias "Solonik" uploaded a file on January 7, 2026, titled "INSTAGRAM.COM 17M GLOBAL USERS - 2024 API LEAK." The posting claims to contain sensitive personally identifiable information (PII) for approximately 17.5 million users.

Malwarebytes’ analysis of the leak indicates it includes:

  • Usernames and full real names
  • Email addresses
  • Phone numbers
  • Location data (specifically state and city information)

Notably, the dataset does not appear to contain passwords. However, the aggregation of contact details with real names creates a high potential for targeted social engineering attacks.

The "Zombie" API Theory

Security analysts suggest the data is likely not from a new intrusion, but rather "scraping" residue from a 2024 vulnerability in Instagram’s Application Programming Interface (API).

APIs are the mechanisms that allow different software components to communicate. In previous instances, scrapers have exploited weaknesses in Instagram's contact importer tools to verify millions of phone numbers against usernames. If the "Solonik" dataset is indeed a repackaged version of this older data, it explains how Meta can truthfully claim no new breach occurred this week, even while valid user data circulates online.

Connecting the Leak to the Email Storm

The release of the data on January 7 correlates closely with the global spike in password reset emails reported just 48 hours later.

Security experts theorize that malicious actors likely utilized the email addresses and usernames from the "Solonik" dump to script a mass request of Instagram’s "Forgot Password" form. This tactic, often used to test the validity of emails or simply to harass users, would trigger legitimate emails from Instagram’s official servers, lending the attack a veneer of credibility.

While the "technical issue" Meta referred to may have been the rate-limit failure that allowed so many requests to be sent at once, the underlying fuel for the spam campaign appears to be the leaked user directory identified by Malwarebytes.

For media inquiries, contact us at contact@databreach.com