Been asked to reset your Instagram password? Company denies data breach reports after users bombarded with request emails

Instagram denies data breach reports after users hit with password reset requests

News By Sead Fadilpašić published 12 January 2026

Instagram is getting kicked out of Russia (Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Meta says Instagram password reset emails were triggered by error, not a breach of systems
• Malwarebytes reported 17.5 million account details leaked, possibly from past API incidents (2022 or 2024)
• Hackers sharing authentic data heightens phishing risks; users advised to verify info directly on Meta sites

Some Instagram users have received password reset emails without requesting them - but the company says it hasn't experienced a data breach.

Parent company Meta has issued a statement saying this was not a data breach, and that the accounts were not at risk, at all. Instead, it claims this was an error that allowed third parties to trigger password reset emails, and that is all.

"We fixed an issue that allowed an external party to request password reset emails for some Instagram users," a Meta spokesperson said. "We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused."

When was it stolen?

This follows recent reports from Malwarebytes claiming unidentified thread actors had stolen data from 17.5 million Instagram accounts.

The stolen data allegedly included user IDs, usernames, email accounts, phone numbers, names, and postal addresses. According to the researchers, the data ended up on “numerous hacking forums”, where it was said that it was pulled from a 2024 Instagram API leak.

Not everyone agrees with this assessment, though. Some researchers believe the data was, in fact, grabbed during the 2022 API scraping incident. Meta, on the other hand, says it knows nothing of any API incidents in either 2022 or 2024.

Regardless of if the data was stolen in 2022, 2024, or 2026, the fact that hackers are sharing authentic user data on the dark web should be cause for concern enough. With this much information, cybercriminals can launch convincing phishing emails, tricking users into sharing their Instagram login credentials, or even those for Facebook and WhatsApp.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors