Meta clarifies Instagram "password reset storm": caused by system vulnerability, no data leakage occurred

According to reports on January 11, foreign media Dailymail reported that millions of Instagram users around the world have received an unusually dense number of password reset emails, causing widespread concern and security concerns. Several cybersecurity agencies and foreign media pointed out that non-password personal information (including usernames, real names, email addresses, phone numbers, partial addresses and other contact information) of about 17.5 million accounts was suspected to have been illegally obtained through the Instagram API interface in 2024, and was publicly released on the BreachForums forum by a threat actor codenamed "Solonnik" on January 8, 2026. The data set contains more than 17 million records and is available for free download.

After the incident was exposed, the security company Malwarebytes issued an early warning on social platforms on January 10, emphasizing that although the batch of information did not contain clear text passwords or encrypted credentials, the highly structured personal identity data could easily be used for subsequent criminal activities such as spear phishing, social engineering attacks, identity impersonation, and financial fraud. During the same period, a large number of users reported receiving standardized reset emails from Instagram in a short period of time. The content contained a striking blue "Reset Password" button and a standard prompt: "If you ignore this email, your password will not be changed; if no request is initiated, please inform us."

In response to public concerns, Meta officially issued a statement on January 11 in response. The company made it clear: "No data breach has occurred, Instagram systems have not been compromised, and user accounts remain safe."

According to a Meta spokesperson, this large-scale email trigger was caused by a fixed technical vulnerability that allowed outsiders to bypass the normal verification process and initiate fake password reset requests in batches to some Instagram users, thereby triggering the system to automatically send reset emails.

Meta emphasized that the relevant vulnerabilities have been repaired as soon as possible after discovery, and confirmed that there is no evidence that the problem has been used for malicious account takeover or other lateral penetration behaviors. Meta apologized for the public confusion caused by this false alarm and reiterated its commitment to continue investing in infrastructure security upgrades and API access control.