A surge of unsolicited password reset emails from Instagram has left users worldwide confused and concerned. Reports began surfacing on January 8, with recipients receiving reset notifications they did not request.
Cybersecurity experts have linked the email wave to a confirmed data breach that exposed personal information of about 17.5 million Instagram users. While the messages originate from a legitimate Instagram address, the alerts are believed to be triggered by threat actors exploiting leaked data to initiate account recovery processes or disguise targeted phishing attempts.
This is the second time this week I’ve received an email saying I requested a password reset, which I didn’t.
Is anyone else experiencing the same thing? #Instagram pic.twitter.com/JzGufrSUGu
— Nazar Gulyk (@neffko) January 10, 2026If you receive one of these emails, do not click any links inside the message. Instead, open the official Instagram app or visit the platform directly through your browser to take control of your account.
Enable two-factor authentication from your security settings and change your password immediately. This adds a critical layer of protection and ensures you are not interacting with a malicious link. You should also review authorised login sessions and log out of any device you do not recognise.
Instagram breach exposes personal data of 17.5 million accounts
The stolen data includes usernames, email addresses, phone numbers, physical addresses, etc. and is already available on the dark web, with some users receiving real Instagram password reset notifications. pic.twitter.com/JXJ2Xwm3Hg
— Timeless Martian (@TimelessMartian) January 10, 2026Security specialists urge users to remain cautious. Treat any unsolicited request for credentials or verification with scepticism, even if it appears to come from Instagram. Legitimate platforms rarely ask users to act urgently through email alone.
Meta, the parent company, has not yet issued an official statement regarding the breach. Analysts describe the incident as one of the most significant data exposures in Instagram’s history, reinforcing the need for stronger personal security practices.
