Instagram has said that its methods weren’t breached and that latest password reset emails some customers acquired have been triggered by an exterior celebration abusing a now-fixed situation.
The corporate says consumer accounts stay safe and that the surprising reset emails could be safely ignored.
The clarification follows stories of a large-scale Instagram knowledge leak wherein particulars of roughly 17.5 million accounts have been marketed on cybercrime boards.
That dataset, reportedly scraped in 2024, contained usernames, e mail addresses, cellphone numbers, and partial location knowledge, fuelling fears of account takeovers and focused phishing assaults.
In a short public assertion, Instagram mentioned it had “fastened a problem that permit an exterior celebration request password reset emails for some folks.” The platform burdened that there was “no breach of our methods” and guaranteed customers that their Instagram accounts “are safe,” immediately countering hypothesis that attackers had gained inside entry.
We fastened a problem that permit an exterior celebration request password reset emails for some folks. There was no breach of our methods and your Instagram accounts are safe. You possibly can ignore these emails — sorry for any confusion.— Instagram (@instagram) January 11, 2026
In keeping with Instagram, the flaw allowed unknown events to set off legit password reset emails with out having compromised the affected accounts.
Whereas this conduct was alarming for customers, the corporate signifies it didn’t give attackers the power to alter passwords or log in; fairly, it was used to spam reset prompts as an issue or social engineering vector.
Instagram’s message instructs customers that they will ignore any unsolicited password reset emails that arrived throughout this era.
Even so, safety professionals suggest enabling two-factor authentication, utilizing distinctive passwords, and remaining cautious of phishing messages that reference latest safety information to seem extra convincing.
The timing of the reset e mail situation, alongside the looks of the 17.5 million–file dataset on darkish net markets, has raised questions on whether or not scrapers or risk actors used uncovered contact knowledge to focus on particular customers.
Whereas Instagram maintains its core infrastructure was not compromised, specialists say the incident highlights how large-scale knowledge scraping and minor platform flaws can mix to create critical notion and safety dangers for social media customers.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
