Instagram is denying a system breach after data from 17.5 million accounts was leaked online and users were hit with a wave of password reset emails. Meta says it fixed a bug causing the email spam, but the leaked data, though likely old, still poses a significant phishing risk to users.
A sophisticated Chinese-speaking threat actor has been caught exploiting a trio of VMware ESXi zero-day vulnerabilities, allowing them to escape virtual machines and gain full control of the underlying hypervisor.
Gulshan Management Services, a Texas-based operator of ~150 gas stations, has disclosed a major data breach affecting over 377,000 individuals. The breach, resulting from a phishing attack that led to a ransomware infection, exposed highly sensitive personal and financial information.
Instagram is denying a system breach after data from 17.5 million accounts was leaked online and users were hit with a wave of password reset emails. Meta says it fixed a bug causing the email spam, but the leaked data, though likely old, still poses a significant phishing risk to users.
Cyber News Centre's cyber update for 12th January 2026: Widespread confusion has hit Instagram users globally as a password reset bug coincided with the leak of data from a reported 17.5 million accounts, forcing parent company Meta to deny its systems were breached while urging users to remain vigilant.
Update: Over the past 48 hours, Instagram users, have been targeted by a confusing series of events. A wave of unsolicited but legitimate password reset emails flooded inboxes, sparking fears of a mass account compromise. Simultaneously, a dataset containing 17.5 million Instagram profiles was released for free on hacking forums. The leaked data includes usernames, names, emails, phone numbers, and physical addresses.
In response, Meta issued a statement clarifying that there was "no breach of our systems." The company stated it had fixed a bug that "allowed an external party to request password reset emails for some Instagram users" and advised users to disregard the emails.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
— Instagram (@instagram) January 11, 2026
You can ignore those emails — sorry for any confusion.
While Meta denies a new breach, the source of the leaked data remains contentious. The leaker claims it was scraped via a 2024 API leak, but security researchers suggest it is more likely a compilation of older data, possibly from a known 2022 scraping incident or even a 2017 API bug. Crucially, the leaked data does not contain passwords.
Why it Matters: This incident, despite Meta's denial of a "breach," is a security issue with significant implications for users. The combination of the password reset scare and the data leak creates a perfect storm for phishing attacks. Even if the leaked data is old, it is now freely available and can be used by criminals to craft highly convincing and targeted phishing emails or text messages. An attacker, armed with a user's real name, email, and phone number, could easily trick them into revealing their password or other sensitive information.
The incident highlights that the definition of a "breach" is often debated; while systems may not have been infiltrated in a traditional sense, the mass scraping and release of user data is a severe privacy violation. It serves as a critical reminder for all social media users to enable two-factor authentication, which provides a vital layer of security even if a password is stolen, and to be extremely cautious of any unsolicited communications, even if they appear to come from a trusted source like Instagram.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
A sophisticated Chinese-speaking threat actor has been caught exploiting a trio of VMware ESXi zero-day vulnerabilities, allowing them to escape virtual machines and gain full control of the underlying hypervisor.
Gulshan Management Services, a Texas-based operator of ~150 gas stations, has disclosed a major data breach affecting over 377,000 individuals. The breach, resulting from a phishing attack that led to a ransomware infection, exposed highly sensitive personal and financial information.
A critical zero-day attack is actively targeting WatchGuard Firebox firewalls, exposing thousands of organisations worldwide. Australian cyber authorities have issued an urgent alert, warning the flaw enables remote takeover of network devices, with more than 115,000 systems still exposed online.
Melbourne-based fleet management firm Netstar Australia has been hit by the Blackshrantac ransomware group in a data extortion attack, underscoring rising cyber risks in the telematics sector that handles sensitive GPS data for government and critical infrastructure operators.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
