Millions of Instagram users worldwide have received unsolicited password reset emails that appeared to come from Instagram’s official security address, prompting widespread concern about a possible data breach and ongoing exploitation of user information.
Cybersecurity firm Malwarebytes has connected these unsolicited reset emails to a data leak exposing sensitive details from approximately 17.5 million Instagram accounts, first scraped via an API vulnerability in late 2024 and resurfacing on dark web forums this week.
The exposed dataset reportedly includes usernames, email addresses, phone numbers, and partial physical addresses, a combination of information that can enable phishing, impersonation, and credential-harvesting attacks.
According to multiple security trackers, the reset messages sent to users mirrored Instagram’s standard communication format and appeared to originate from verified domains such as @mail.instagram.com, but their volume and timing suggest they are tied to the resurfaced breach rather than isolated forgotten password requests.
Reports on social platforms and tech sites show that some recipients verified the legitimacy of the email headers yet acknowledged no reset request within their account security logs.
In the emails, users are informed that Instagram has received a request to reset their password. They include two links: one to reset your password and another to “let us know” if you didn’t make this request. The message states, “If you ignore this message, your password will not be changed.”
According to the cybersecurity firm Malwarebytes, most of these emails may have been sent in response to a reported cyber breach. According to them, Instagram data was stolen in late 2024, which allowed hackers to scrape user profile data from around 17.5 million profiles. Sensitive information, including usernames, addresses, phone numbers and emails, were scraped in the alleged breach.
Instagram states that password reset emails may not be a cause for alarm.
Receiving a password reset email doesn’t necessarily mean that your account has been hacked,” Instagram said on its website.
For example, when someone is trying to log into their account or reset their password, they may mistype or misremember their email address or username and enter yours by mistake.
Only people who know your Instagram password or click the login link in this email can log in to your account.
If you do have additional security concerns, you may want to reset your password and enable two-factor authentication.
Meta has not confirmed if there has been a cybersecurity breach impacting Instagram.
