Instagram has reassured users that their accounts remain secure after a sudden surge of unexplained password reset emails caused confusion and concern across the platform, sparking fears of a major cybersecurity breach.
The emails, which appeared to come from legitimate Instagram addresses, stated that a request had been made by the user to reset their password — even though they had not made one. While the message claimed that ignoring the email would not change the password, many users were alarmed by the unexpected notifications.
Malwarebytes Flags Possible Data Leak
The concern intensified after antivirus company Malwarebytes claimed that sensitive information linked to 17.5 million Instagram accounts was being sold on the dark web. According to the firm, the alleged data included usernames, email addresses, phone numbers, and even physical addresses.
Malwarebytes stated the discovery was made during a routine dark web scan and suggested the data may be linked to an Instagram API exposure dating back to 2024. The company warned that such information could be misused by cybercriminals for phishing scams or account takeover attempts.
Instagram Denies Breach, Fixes Technical Issue
In response, Instagram has strongly denied that its systems had been compromised and that user accounts were “secure.” In a statement posted on X (formerly Twitter), the company said the issue was caused by a technical flaw that allowed an external party to request password reset emails without accessing user accounts. Instagram added that users could safely ignore the emails and apologised for the confusion caused.
However, the company did not provide further details about who the external party was or how the issue was exploited, but said the problem has now been resolved.
What Users Should Do Now
Instagram has also reminded users that official emails are sent only from addresses ending in @mail.instagram.com and that receiving a password reset email does not automatically mean an account has been hacked.
To stay safe, users are encouraged to:
- Avoid clicking links in unsolicited emails or suspicious links
- Enable two-factor authentication
- Change passwords regularly
- Review logged-in devices in Meta’s Accounts Center
While Instagram says this incident was not a data breach, the incident highlights how easily technical glitches can cause widespread alarm — and why strong account security remains essential.
