Instagram users across India and the globe were left alarmed last week after a flood of unexpected password reset emails hit their inboxes. This wave of suspicious activity has now been linked to a massive data breach, with cybersecurity experts reporting that sensitive information belonging to a staggering 17.5 million Instagram users has been compromised and put up for sale on the dark web.
What Happened in the Instagram Data Breach?
On Saturday evening, Indian Standard Time, the cybersecurity firm Malwarebytes sounded the alarm. They reported a significant data theft from the Meta-owned platform, stating that cybercriminals had stolen a trove of personal data. This data dump reportedly includes usernames, physical addresses, phone numbers, and email addresses. Malwarebytes warned that this information is now available for purchase by bad actors and could be easily abused for targeted attacks.
The report gained immediate traction as numerous users flooded Malwarebytes's social media posts, confirming they had received the puzzling password reset requests. Even Troy Hunt, the creator of the renowned data breach tracking service 'Have I Been Pwned', confirmed receiving such an email, questioning the source of the leak.
Is This a New Hack or Old Data?
While the incident is causing fresh panic, several cybersecurity researchers have provided crucial context. They point out that Instagram's systems were not recently hacked. Instead, the data being sold appears to be from a previous incident. The cybersecurity newsletter International Cyber Digest stated the leaked data "appears to be from the Instagram 2024 API breach", which involved a staggering 489 million records.
Further analysis suggests the data is even older. The original file was likely created in 2022 and shared in 2023. Some researchers, like 'Seb' on X, provided a precise timestamp, noting the file was created on June 20, 2022. International Cyber Digest dug deeper, sharing a 2019 article and suggesting the leak might include data from as far back as 2017. The fresh development, according to experts, is that this previously scraped data is now being actively distributed and sold on dark web forums.
Meta's Response and User Risks
In response to the growing concerns, Meta issued a statement to Hindustan Times. A company spokesperson said, "We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure." The company has asked users to disregard the emails and apologized for the confusion, but has not publicly commented on the specific data breach report by Malwarebytes.
Regardless of the data's age, the exposure of personally identifiable information (PII) like phone numbers and email addresses poses a real and present danger. CyberPress highlighted that this information is sufficient for SIM-swapping attacks and sophisticated social engineering scams. In such attacks, fraudsters can impersonate Instagram support to trick victims into revealing two-factor authentication codes and login credentials.
What Indian Instagram Users Must Do Now
While the full details are still emerging, users must take immediate steps to secure their accounts. Here is a critical action list:
- Enable Multi-Factor Authentication (MFA): Do not rely on SMS-based codes. Use an authenticator app like Google Authenticator or Authy for a more secure layer of protection.
- Ignore Unsolicited Password Resets: Never click on links in password reset emails you did not request. Always go directly to the official app or website to manage your account.
- Check Your Digital Footprint: Visit websites like Have I Been Pwned or Malwarebytes's digital footprint scanner. Enter your email address to see if it was involved in this or any other past breach.
- Stay Vigilant: Be extremely cautious of any communication claiming to be from Instagram support, especially those asking for codes or passwords.
This incident serves as a stark reminder for all social media users in India to regularly audit their privacy settings and proactively strengthen their account security.
