Instagram has addressed an issue that caused many users to receive repeated password reset emails, a situation that sparked widespread concern and speculation about a large-scale data breach. Users have been reporting an unusual increase in account recovery messages in recent weeks, which has led to suspicions that Instagram’s systems have been compromised.
Cybercriminals are said to have obtained a database that contained data from roughly 17.5 million Instagram accounts, according to cybersecurity company Malwarebytes. In addition to sensitive personal information like physical addresses, phone numbers, email addresses, and other identifying information, the exposed data allegedly contained usernames. According to reports, this dataset was made available for purchase on the dark web, which might have led to further malicious activity directed at impacted users.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. This data is available for sale on the dark web and can be abused by cybercriminals.
— Malwarebytes (@malwarebytes.com) 2026-01-09T16:34:03.434328959Z
Attempts to take over accounts seem to have been one direct result of this exposure, which would account for the increase in requests for password resets. The compromised data could be used for long-term phishing campaigns in addition to direct account compromise. In order to look authentic, attackers in these schemes frequently direct victims to phony websites that closely mimic official Instagram pages by using social engineering techniques and accurate personal information. Under the pretense of account recovery, these pages might ask users for their current passwords or other private data.
Experts caution that because of the size of the purported leak, scams related to it may continue for weeks, months, or even years. It is therefore recommended that users change their passwords frequently and enable two-factor authentication, ideally with app-based authenticators like Google Authenticator instead of SMS codes. It’s also advised to check the Meta Accounts Center to make sure recovery and contact information is up to date and to confirm that all recorded logins are identified.
Meta has denied that there has been a security breach in spite of these reports. While acknowledging that “an issue allowed third parties to request password resets for some users,” Instagram insisted that this did not amount to a security vulnerability in a statement posted on its official account on X (formerly Twitter). The issue has since been fixed, according to Meta, which also advised users to disregard any unsolicited password reset emails they may have already received.
Filed in . Read more about Cybersecurity and Instagram.