Instagram users got strange password reset emails, then Meta revealed what really happened, and it’s worse than you think

Meta fixed a problem in Instagram that let outsiders ask for password reset emails. But the company says no user information was stolen. Last Friday, a security company called Malwarebytes said hackers stole personal data from 17.5 million Instagram accounts. This data included usernames, home addresses, phone numbers, and email addresses. The company even shared a screenshot of a password reset email that Instagram users received.

Later, Instagram explained what really happened. They said they fixed a bug that allowed someone from outside to request password reset emails for some users. Instagram made it clear that their systems were not hacked and all accounts are safe. They told users to ignore those emails and said sorry for the confusion.

The Register found out that Malwarebytes was likely talking about a data dump posted on BreachForums, a website known for sharing leaked data. A user there posted personal information of over 17 million Instagram users and claimed it came from an API leak that happened in 2024.

Veeam patches serious security holes that could help ransomware attacks

Veeam, a company that makes backup software, fixed four security problems last week. All four bugs could let accounts with special access either run harmful code or write files as a root user. The most serious one, called CVE-2025-59470, got a 9.0 score on the security scale.

Veeam didn’t share many details. They only said that CVE-2025-59470 could let a Backup or Tape Operator account run harmful code by sending a bad interval or order command to the system. Many users received official-looking emails about the data leak that caused widespread panic.

Sagy Kratu works at Vicarius, a company that fixes security problems automatically. He said this bug could let ransomware attackers cause major damage. He said, “The critical Veeam flaw matters less because it’s ‘critical’ on paper and more because of where it sits in an attack chain.” A Backup or Tape Operator role is exactly the kind of access that ransomware attackers usually get after they first break into a system.

Kratu explained, “Veeam keeps appearing in attacks for a simple reason, backup servers control whether clean data still exists and can be restored.” Once attackers control Veeam, they can delete backups, stop data recovery, and turn a break-in into a major crisis. Meanwhile, Instagram recently launched its app on TV platforms with unexpected viewing options for users.