Instagram denied suffering a data breach after users reported receiving unexpected emails asking them to reset their passwords.
The company said it had fixed an issue that allowed an external party to trigger legitimate password reset requests.
There was no breach of our systems.
Instagram said.
Cybersecurity firm Malwarebytes disputed the explanation, claiming millions of accounts had been compromised.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts.
Malwarebytes said.
Malwarebytes said the emails were linked to an alleged sale of private user data on a hacker forum.
The advert claimed the data originated from a leak in 2024, though no supporting evidence was provided.
Some security researchers believe the data may instead come from older publicly accessible information collected in 2022.
Instagram did not clarify how the external party was able to trigger password reset emails on its platform.
Users were advised to change passwords directly through the app or website and enable additional security protections.