New Delhi: Meta has pushed back against reports of a large-scale Instagram data leak, saying there was no breach of its systems even as cybersecurity researchers warned that personal information linked to millions of accounts may be circulating on the dark web.
The claims surfaced after Malwarebytes, an antivirus software firm, reported on January 9 that personal data associated with more than 17.5 million Instagram accounts was allegedly exposed. According to Malwarebytes, the information is tied to an Instagram API exposure dating back to 2024 and is now being offered for sale by cybercriminals.
The dataset flagged by the firm is said to include usernames, phone numbers, email addresses, physical addresses and other details. Malwarebytes said it identified the data during a routine scan of dark web marketplaces. Around the same time, several Instagram users reported receiving repeated password reset emails, an issue the firm linked to the alleged leak.
Meta, however, has denied that user accounts or internal systems were compromised. In a statement, a Meta spokesperson said, “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologise for any confusion this may have caused.”
Despite the denial, Malwarebytes cautioned that exposure of personal information can still carry serious risks. Such data can be used for phishing campaigns, unauthorised account access, or attempts to break into accounts on other platforms using the same login details, a method commonly known as credential stuffing.
The issue has particular relevance for India, which has the largest Instagram user base globally, estimated at around 480.55 million as of October 2025, according to Statista. India also accounts for more than 500 million Facebook and WhatsApp users, making it Meta’s biggest single market.
Under India’s Digital Personal Data Protection Act, 2023, details such as phone numbers and email addresses are categorised as personal data. The law defines a personal data breach as any unauthorised or accidental disclosure, access, sharing, use or loss of personal data that affects its confidentiality, integrity or availability.
India is still in the early stages of enforcing its new data protection framework. While the government notified the DPDP Rules, 2025 last November and has operationalised provisions such as amendments to the RTI Act and the setting up of the Data Protection Board of India, several user-focused safeguards are yet to come into force. Requirements around informed consent, limited data use, and mandatory breach notifications are expected to be implemented after an 18-month transition period, with timelines potentially differing for large technology companies and start-ups.
In the meantime, cybersecurity experts are advising users to take precautions. Malwarebytes has urged Instagram users to review active logins through Meta’s Accounts Center and enable two-factor authentication to reduce the risk of unauthorised access.
BI Bureau
