In the past few days, many Instagram users received password reset emails that they did not request. This created panic among users. Many people believed their accounts were hacked or that Instagram had suffered a major data breach.
The situation started after cybersecurity company Malwarebytes claimed it found data linked to about 17.5 million Instagram users on the dark web. According to the company, the leaked data included usernames, email addresses, phone numbers, and in some cases physical addresses. Malwarebytes said this data could be misused by cybercriminals for phishing scams, fraud, and account takeovers.
Malwarebytes said it discovered the data during its routine dark web scans. The company also suggested that the data might be connected to an Instagram API exposure from 2024. This raised questions about whether the data was newly leaked or collected earlier and resurfaced now.
Soon after these claims became public, many users reported receiving multiple password reset emails from Instagram. This made the situation look more serious and added to fears of a security breach.
Instagram responded quickly and denied the claims.
In a post on X, the company said there was no data breach and no hacking of its systems. Instagram said it fixed an issue that allowed an external party to send password reset requests to some users. The company made it clear that user accounts were secure and that people could safely ignore those emails if they did not request a password reset.
Instagram also said that the issue was limited to abuse of the password reset feature and did not involve unauthorized access to user data. Even though Instagram denied a breach, cybersecurity experts say users should still be careful. If user data is available on the dark web, even if it is old, it can still be used for scams. Email addresses and phone numbers are often used for phishing attacks and fake login attempts.
There is also speculation about where the data came from. Some experts believe the dataset could be old and collected through scraping or third-party services. Others say the lack of clear details makes it hard to fully trust any single explanation.
For users, basic security steps are still important. Turning on two-factor authentication, using a strong and unique password, and checking logged-in devices through Meta’s Accounts Center can help protect accounts. Users should also avoid clicking on suspicious emails or links.
Instagram says there was no data breach and no hack. Malwarebytes says Instagram-related user data is being sold online. While the exact source of the data is still unclear, users should stay alert and focus on keeping their accounts secure.
