LT Tech Blog

Wow News on Tech and AI

Security incidents Threats & Incidents

Instagram says no breach after suspicious password reset emails circulated

By

Jan 11, 2026 #dark web sale, #data-exfiltration-claim, #Instagram, #Malwarebytes, #password-reset-emails

TL;DR

Instagram reported that it found no evidence of a systems breach after some users received unexpected password reset emails and said it corrected the underlying issue. Antivirus firm Malwarebytes published a screenshot claiming data from 17.5 million accounts was stolen and offered for sale, a claim Instagram did not confirm.

What happened

Over the weekend, some Instagram users received unexpected password-reset messages that appeared suspicious. Antivirus company Malwarebytes shared a screenshot of an email and asserted that sensitive information for roughly 17.5 million Instagram accounts — including contact and location details — had been exfiltrated and was being sold on the dark web. Instagram responded on X, saying it addressed a problem that allowed an outside party to trigger password-reset emails for some accounts and advising people to disregard those messages. The company characterized the situation as not a breach but provided no additional detail about the external party, the technical cause, or whether any account data was actually accessed. Instagram apologized for the confusion but stopped short of confirming Malwarebytes’ claims about stolen data.

Why it matters

  • Unsolicited password-reset emails can be used as a vector for account takeover or credential-harvesting attacks.
  • Public claims of a large-scale data sale can increase risk for affected users and prompt wider scrutiny.
  • Limited disclosure from platforms about the root cause or scope of incidents can erode user trust and complicate response efforts.
  • Users and security teams may need clarity on whether personal information was exposed to assess potential harms.

Key facts

  • Instagram said it fixed an issue that allowed an external party to request password-reset emails for some users.
  • The company stated there was no breach; it did not provide technical details or identify the external party.
  • Malwarebytes posted a screenshot of an email and claimed data for 17.5 million Instagram accounts had been stolen and listed for sale.
  • Malwarebytes said the exposed information included names, addresses, phone numbers and emails, according to its post.
  • Instagram issued its update on X rather than on Instagram or Threads.
  • Instagram told users they could ignore the password-reset emails and apologized for the confusion.
  • TechCrunch reported the exchange between Malwarebytes and Instagram but the platform’s statements did not corroborate the full scope of Malwarebytes’ alleged data sale.

What to watch next

  • Whether Instagram releases more technical details about the cause, scope, and the identity of the external party — not confirmed in the source.
  • Any independent verification or evidence that the claimed dataset of 17.5 million accounts is available on the dark web — not confirmed in the source.
  • Possible follow-up from security researchers or regulators investigating the incident and the platform’s disclosure — not confirmed in the source.

Quick glossary

  • Password-reset email: A message sent to an account’s registered contact address to initiate a password change; attackers can abuse such messages to trick users or as part of account takeover attempts.
  • Data breach: An incident in which unauthorized parties gain access to confidential or sensitive information from an organization’s systems.
  • Dark web: A portion of the internet that requires specialized browsers or configurations to access and is frequently used for anonymous marketplaces and illicit data trading.
  • Phishing: Deceptive communications designed to trick recipients into revealing credentials or other sensitive information.
  • Account takeover: When an unauthorized actor gains control of a user’s online account and can act on the account owner’s behalf.

Reader FAQ

Did Instagram confirm a breach?
Instagram said there was no breach and that it fixed an issue allowing external requests for password-reset emails.

Was data for 17.5 million accounts stolen and sold?
Malwarebytes claimed that, but Instagram did not confirm the alleged data theft; that claim is not confirmed in the source.

Should users change their passwords now?
Instagram advised users to ignore the reset emails and apologized, but it did not provide formal guidance on password changes in the information cited; specific advice is not confirmed in the source.

How did Instagram communicate about the issue?
The company posted its update on X rather than on Instagram or Threads.

IN BRIEF Posted: 2:26 PM PST · January 11, 2026 IMAGE CREDITS: STOCKCAM (OPENS IN A NEW WINDOW) / GETTY IMAGES Anthony Ha Instagram says there’s been ‘no breach’ despite…

Sources

Related posts

By

Related Post

Cybersecurity Threats & Incidents

Meta fixes Instagram password-reset flaw but denies any user data leak

Jan 12, 2026
Security incidents

DHS Imposes Seven‑Day Notice for Congressional Visits to Minneapolis ICE Sites

Jan 11, 2026
Cybersecurity Threats & Incidents

Poison Fountain: Site Urges Caching and Serving Poisoned Training Data

Jan 11, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *


You missed

DevTools Product launches

Introducing EktuPy: a browser-based Python editor to bridge Scratch to code

January 12, 2026
Policy / Compliance

Statement from Jerome Powell posted on Federal Reserve website

January 12, 2026
Gaming & Creators Mobile & Apps

Uncrossy: A minimalist drag-to-clear word puzzle where words shift

January 12, 2026
Cloud & Dev GenAI (models, assistants)

CLI agents like Claude Code make home self-hosting simpler and actually fun

January 12, 2026