KEY POINTS
- Cybersecurity firm reports data leak involving 17.5 million Instagram users’ personal information on dark web.
- Meta denies any breach, attributing recent password reset requests to external activity, not a system compromise.
- Incident revives scrutiny over Meta’s past data security issues, including a 2021 exposure of 530 million users’ data.
ISLAMABAD: Cybersecurity firm Malwarebytes has raised a red flag, claiming that personal information associated with 17.5 million Instagram users is circulating for sale on the dark web.
According to the firm, the exposed data allegedly includes sensitive details such as usernames, email addresses, phone numbers, and even physical addresses.
Malwarebytes stated it identified the data during routine dark web monitoring and warned that such information could be weaponised for phishing attacks, account takeovers, or identity fraud.
A particular risk highlighted is the potential misuse of Instagram’s password reset system by malicious actors in possession of user email addresses and phone numbers.
User reports & Meta’s official response
The claims coincide with numerous user reports over recent weeks of receiving unexpected and repeated password reset emails, as well as alerts about attempted logins, fuelling fears of a significant breach.
Many concerned users took to social media platforms to share their experiences, with some stating they had proactively changed their passwords as a precaution.
In response, Meta has issued a categorical denial. The company asserts that its internal investigations found no evidence of a system breach or unauthorised access to its databases.
“This activity involved an external entity sending password reset requests,” a Meta spokesperson stated. “This does not amount to a data breach, and user accounts remain secure.”
History of scrutiny and expert security advice
This incident has revived scrutiny of Meta’s history with data security. In a notable 2021 episode, Facebook acknowledged that data from over 530 million users had been exposed online.
The company attributed that incident to “scraping” of publicly accessible profile information, rather than a direct hack of its servers.
Despite Meta’s assurances, cybersecurity experts are urging users to take proactive steps to secure their accounts. Recommended actions include:
- Enabling two-factor authentication (2FA).
- Using a strong, unique password for Instagram.
- Reviewing and revoking access for any unfamiliar third-party apps connected to the account.
- Ensuring that any linked email accounts are also secured with robust passwords and 2FA.
The situation underscores the ongoing challenges of data privacy in the digital age, as user information allegedly obtained from past leaks or external sources continues to pose risks through secondary exploitation on the dark web.
