Instagram has denied suffering a data breach after thousands of users reported receiving unexpected emails asking them to reset their passwords, triggering confusion and concern across social media.
The company said it had fixed an issue that allowed an external party to trigger legitimate password reset emails to be sent to some users. Instagram insisted that its systems were not compromised and that user accounts remain secure.
“We resolved a problem that let an external party request password reset emails for some people,” Instagram said in a statement. “There was no breach of our systems.”
Cyber security experts question the explanation
The reassurance has been challenged by some cyber security researchers. Malwarebytes claimed the emails may be connected to a much larger data exposure, alleging that information linked to 17.5 million Instagram accounts is currently being offered for sale on a hacker forum.
In a post shared on X, the firm said the dataset allegedly includes usernames, phone numbers, email addresses and physical locations, and dates back to what is being described as a “leak” from 2024. The post, which included a screenshot of an Instagram password reset email, has been viewed more than two million times.
Malwarebytes later told the BBC it believes the sudden wave of password reset messages may be linked to the circulation of that data rather than a random technical glitch.
Is the data actually new?
Other security researchers are more sceptical. Some believe the dataset may not be the result of a new breach at all, but instead an older collection of information gathered in 2022 using data that was publicly visible on Instagram profiles, such as names and locations.
This conflicting analysis has left users uncertain, particularly because Instagram has not clarified who the external party was or how they were able to send official password reset emails without accessing internal systems.
Why users became alarmed
The emails themselves appear to be genuine. The reset links lead to legitimate Instagram pages, and users who followed the process reported no obvious signs of phishing or malware.
However, the unexpected nature of the alerts caused many people to fear a coordinated hacking attempt or scam designed to compromise accounts.
Cyber security experts advise users not to click links in unsolicited emails. Instead, they recommend opening the Instagram app or website directly to change passwords and enabling additional security measures.
What users should do now
- Do not panic if you receive a password reset email you did not request
- Change your password directly via the Instagram app or official website
- Enable two-factor authentication for added protection
- Be cautious of follow-up messages requesting personal information
While Instagram maintains there has been no breach, the incident highlights how easily legitimate security notifications can trigger alarm — and how difficult it can be for users to distinguish between technical issues, precautionary alerts and genuine cyber threats.
