Millions of Instagram users across the world have reported receiving unexpected password reset emails, triggering widespread concern over a possible data breach and the misuse of personal information.
Debut Delight Antoine Semenyo Shines as Manchester City Thrash Exeter 10–1 in FA Cup
Cybersecurity firm Malwarebytes has connected the surge in reset notifications to a previously exposed dataset involving around 17.5 million Instagram accounts. The data was originally scraped through an API vulnerability in late 2024 and has reportedly resurfaced on dark web forums in recent days.
Security experts say the compromised information includes usernames, email addresses, phone numbers and partial physical addresses — details that could be exploited for phishing, impersonation and credential-harvesting attacks.
Several cybersecurity monitoring platforms noted that the emails closely resemble Instagram’s official password reset messages and appear to originate from verified domains such as @mail.instagram.com. However, analysts believe the unusual volume and timing of the emails point to automated activity linked to the resurfaced dataset, rather than genuine user-initiated reset requests.
Many users reported that although the emails looked authentic and contained legitimate technical headers, there was no record of a password reset request in their account security logs or activity history.
The messages inform recipients that a password reset has been requested and offer two options: proceed with resetting the password or report the request as unauthorized. The email reassures users that their password will remain unchanged if no action is taken.
Malwarebytes said the spike in reset emails is consistent with attempts to test or exploit leaked account data. Instagram, however, has stated that receiving a password reset email alone does not necessarily indicate a breach and has urged users to remain vigilant, avoid clicking suspicious links, and enable two-factor authentication.
