Ignore Unexpected Instagram Password Reset Emails: What Users Need to Know

TL;DR

Security firm Malwarebytes says account details for about 17.5 million Instagram users were found on the dark web, linked to an earlier API exposure. Instagram (Meta) says there was no breach, that it fixed an issue enabling external requests for password-reset emails, and advises users to ignore unexpected reset messages.

What happened

Over the past days many Instagram users reported receiving password reset emails they did not request. Security company Malwarebytes says it discovered the credentials and personal details of roughly 17.5 million Instagram accounts for sale on the dark web, and ties the disclosure to a possible API exposure originating in 2024. Engadget relays that the issue is being attributed to an Instagram API vulnerability. Instagram (Meta) responded that its systems were not breached, saying it corrected an issue that allowed an external party to trigger password reset emails for some accounts, and that users' accounts remain secure. The company told users they can ignore those unsolicited reset messages. Observers note a distinction between an API misuse or exposure and a traditional system breach, but advise heightened caution because exposed usernames and contact details could be used in follow-up phishing attempts.

Why it matters

• Personal contact and account details for millions were allegedly exposed and appear on the dark web, increasing risk of fraud and targeted scams.
• Unsolicited password-reset emails can create confusion and provide an attack vector for phishing campaigns that leverage known user data.
• Disagreement over whether this counts as a breach highlights how API misuse and data exposures are classified and disclosed.
• Even if account credentials were not directly accessed via Instagram systems, leaked profile details still enable social engineering.

Key facts

• Malwarebytes reports roughly 17.5 million Instagram account records were stolen and offered for sale on the dark web.
• Reportedly exposed fields include usernames, physical addresses, phone numbers, email addresses and other details.
• Malwarebytes said it found the data during routine scans of dark-web markets and links the incident to an Instagram API exposure from 2024.
• Engadget and security firms attribute the availability of data to an Instagram API vulnerability.
• Instagram (Meta) says there was no breach of its systems and that it fixed an issue that allowed an external party to request password reset emails for some people.
• Meta advised users they can ignore unexpected password reset emails and apologized for any confusion.
• Security commentators distinguish between an API being misused and a conventional data breach, while agreeing users should stay alert to phishing.

What to watch next

• Whether Instagram/Meta will publish technical details or a timeline of the API issue — not confirmed in the source
• If regulators or affected users pursue inquiries or notifications about the exposed records — not confirmed in the source
• Whether additional account records surface on dark-web marketplaces or security researchers corroborate the 17.5 million figure — not confirmed in the source

Quick glossary

• API (Application Programming Interface): A set of rules and tools that lets different software systems communicate; vulnerabilities in APIs can expose data if misused.
• Dark web: Parts of the internet not indexed by standard search engines, where stolen data and illicit services are often traded.
• Phishing: A type of social-engineering attack where attackers try to trick people into revealing credentials or personal information.
• Data breach: An incident where unauthorized parties gain access to confidential or protected information; definitions and classifications can vary.

Reader FAQ

Was there an Instagram data breach?
Reports conflict: Malwarebytes says 17.5 million accounts' details were found on the dark web, while Instagram states there was no breach of its systems and that it fixed an issue; both positions are noted in the source.

Should I change my Instagram password right now?
Not confirmed in the source.

What kind of data was exposed, according to the report?
The source says exposed records included usernames, physical addresses, phone numbers, email addresses and other details.

What should I do if I receive an unsolicited password reset email?
Instagram's guidance reported in the source is to ignore those password reset emails and be alert to potential phishing attempts.

iPhone 17e launching as soon as next month: Here are five upgrades to look forward to Michael Burkhardt Jan 11 2026 APPS INSTAGRAM SECURITY PSA: Instagram password reset emails should…

Sources

• PSA: Instagram password reset emails should be ignored
• Instagram Password Reset Attacks — Users Must Check 1 …
• Instagram users warned after password reset emails spark …
• Instagram Password Reset Attacks — What You Need To …

Related posts

• Ireland urged to fast-track law criminalising harmful voice and image misuse
• Crew-11 ends ISS stay early after NASA cuts mission over crew illness
• Windows Insider adds policy to let admins remove Copilot — with limits