Meta fixes Instagram password reset flaw, denies data breach

Meta fixes Instagram password reset flaw, denies data breach

https://securityaffairs.com/186829/security/meta-fixes-instagram-password-reset-flaw-denies-data-breach.html

Publish Date: 2026-01-12 13:53:51

Source Domain: securityaffairs.com

Meta recently resolved a vulnerability in Instagram’s password reset mechanism that allowed unauthorized third parties to send password reset emails to users. The issue resulted in the receipt of over a million unsolicited reset emails, raising concerns about potential data breaches. Despite these incidents and accompanying claims, Meta officially denied that any system breach had occurred and assured users that their Instagram accounts remained secure. Although the company encouraged users to disregard these reset emails, security experts highlighted severe privacy implications, with some fearing user data may already be circulating on the dark web.

In the same period, a sensitive database purportedly featuring nearly 18 million Instagram user records surfaced on a cybercrime forum. Described as a “doxxing kit,” the dataset included physical home addresses associated with Instagram user IDs, potentially allowing for stalking, swatting, extortion, and identity theft. The threat posed by linking online identities with physical addresses goes beyond typical phishing attempts and raises severe real-world safety risks. While it remains unclear if this data breach was directly connected to the password reset flaw, the potential privacy risks involved in such a leak are undeniable.

Key Points:

– Meta fixed an Instagram password reset vulnerability allowing third parties to send password reset emails.
– Despite claims of data breach or leak, Meta stated that no breach occurred and assured account security.
– A “doxxing kit” on a cybercrime forum with up to 18 million Instagram users’ data, including physical addresses, raised serious privacy concerns.
– The linked data could facilitate serious criminal activities like stalking, swatting, and identity theft.
– Over a million users received unsolicited reset emails, causing confusion and raising cybersecurity worries.