A reported data leak has raised concerns over the security of Instagram accounts after cybersecurity firm Malwarebytes claimed that personal information linked to 17.5 million users may be circulating on the dark web.

According to Malwarebytes, the exposed data allegedly includes usernames, email addresses, phone numbers and physical addresses.

The firm said it identified the data during routine dark web monitoring and warned that it could be misused, particularly through Instagram’s password reset system.

The claims surfaced after numerous Instagram users reported receiving unexpected password reset emails in recent weeks, prompting fears of a breach.

Meta, Instagram’s parent company, has denied that its systems were compromised.

In a statement, Meta said the activity involved an external entity sending password reset requests and did not amount to unauthorised access or a data breach.

The company maintained that user accounts remain secure.

Despite the denial, users took to social media to share concerns, with some saying they received repeated password reset notifications or alerts about attempted logins, prompting them to change their passwords.

Malwarebytes said the alleged data is being offered for sale online and could be exploited for phishing, account takeovers or identity fraud.

The incident has revived scrutiny of Meta’s past data security issues.

In 2021, Facebook acknowledged that data from more than 530 million users had been exposed through the scraping of public profiles, though it said the information was not obtained through a hack.

Cybersecurity experts advise users to remain cautious by enabling two-factor authentication, using strong and unique passwords, reviewing authorised third-party apps, and securing linked email accounts.