Big news for Instagram users, personal information of over 17 million users found on dark web, Meta issues clarification

Millions of Instagram users across the globe are in a state of panic as the personal data of as many as 17.5 million accounts are reportedly being sold on the dark web. The reports which also renewed concerns about privacy and account security on the internet, the accounts’ information is currently being exchanged on the dark web.

Cybersecurity company Malwarebytes, which spotted the initial online conversation, reported that on several hacker forums, the suspected database, which is suspected to contain information related to username, email, phone number and other contact information of as many as 17.5 million Instagram accounts from across the world was posted.

What Data was Exposed?

The data which was leaked allegedly contained:

• Usernames
• Full names
• Email addresses
• Phone numbers
• Partial physical address
• Other public profile information

According to the report, although passwords were not part of the leaked data, experts have reiterated that phone numbers and email addresses alone would be enough to allow scammers and fraudsters to conduct phishing and social engineering attacks, SIM-swap and other scams.

How was Data Leaked?

Analysts believe the data which has come to light is believed to have originated from an API leak, from 2024, where data was scraped and compiled and later put up for sale on one of the hacker forums under the title: “INSTAGRAM.COM 17M GLOBAL USERS – 2024 API LEAK.”

Analysts explained that although API scraping and harvesting do not penetrate systems like a major data breach or hack, it is still a form of social engineering and cyber threat that if not properly prevented or secured, could harvest data from multiple sources at once.

Instagram’s parent company Meta has reacted to the allegations that data on 17.5 million accounts is being traded on the Dark web, by denying that there was an Instagram hack or data breach.

Instagram and Meta Respond to Scare

On its X account, the company, in a public statement, said that there was no evidence of a breach in Instagram’s system and instead reiterated that the reason behind the numerous password reset emails that users started receiving was due to the activities of an external party who exploited a security loophole.

The tech giant has since reassured its users that their accounts are not at risk and have asked users not to heed any password reset emails not initiated by them.

Surge in Suspicious Password Reset Emails

The unexpected password reset emails started flooding accounts on Saturday, 25th August, as was posted in several places, and not being an experience directly initiated by Instagram, but an abuse of a security loophole by an external party has got several users concerned about their account security as no reason was provided by Meta or Instagram on why users started receiving the emails.

Some of the emails, it is believed could be sent legitimately as a result of attacks on a certain user’s accounts, while some may have been sent by malicious actors who leveraged some of the contact information now on the dark web.

What You Should Do Now?

Analysts have advised users to take some security precautions to prevent their accounts from being exploited by malicious actors:

• Enable 2FA for accounts using an authentication app
• Using unique and strong passwords for their accounts
• To be on the lookout for unsolicited reset requests and links
• Check regularly for email security and recovery goals

The analysts also warned that while the passwords were not among the data allegedly being traded on the Dark web, the information should be a lesson that even without direct exposure of one’s password, malicious actors can use your personal contact information and your data against you.