Instagram addresses data breach claims after millions reportedly impacted by password reset emails

Instagram has stated that there was no data breach after millions of users worldwide received password reset emails they did not request, sparking widespread concern about account security.

The unexpected emails began arriving in inboxes on January 8, 2026. Users reported that the messages appeared legitimate, coming from Instagram’s official email address and displaying correct branding and formatting. The volume and timing of the emails led many to fear their accounts had been compromised.

Earlier reports from cybersecurity firm Malwarebytes claimed that data linked to 17.5 million Instagram accounts had been stolen and was being offered for sale online. The reports suggested that personal information such as usernames, email addresses and phone numbers may have been exposed, intensifying anxiety among users who had received the reset notifications.

However, Instagram addressed the situation publicly on X on the morning of January 11. In a post from its official account, the company said, “ There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails".

Users had reported that some of the reset emails did not appear in Instagram’s in-app email history, while others said they received repeated notifications even after changing their passwords manually.

Despite the reassurance, cybersecurity experts continue to advise caution. Users concerned about their accounts are encouraged to change passwords directly through the Instagram app and enable two-factor authentication to add an extra layer of protection.