Meta admits to Instagram password reset mess, denies data leak

infosec in brief Meta has fixed a flaw in its Instagram service that allowed third parties to generate password reset emails, but denied the problem led to theft of users’ personal information.

Last Friday, security software vendor Malwarebytes claimed “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.” The vendor included a screenshot of a password reset email sent to Instagram users.

On Saturday, Instagram posted the following: “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.”

The Register understands that Malwarebytes was probably referring to a dataset posted to notorious data leak site BreachForums, where a user posted a dump of 17-million-plus Instagram users’ personal information and claimed ...