Over the weekend, tons of people reported receiving seemingly random password-reset emails from Instagram, and now the platform says it has addressed the issue.
So what was the problem? Well, the issue isn’t exactly known right now. According to the platform, all that is known is that an “external party” triggered the emails, and that they are safe to ignore.
Instagram has since posted on X, claiming the issue has been fixed and that there was no breach of its systems. On the other hand, a Malwarebytes report dating back to Jan. 9 says that information on 17.5 million Instagram accounts (usernames, addresses, phone numbers, and email addresses) was available (and for sale) on the dark web.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026
According to Gizmodo, the cybersecurity company noted in an email to customers that it discovered the information during a routine dark web scan and that it’s tied to a potential incident related to Instagram’s API exposure in 2024.
Although Instagram is denying that it is a data breach, it wouldn’t be the first time the platform has accidentally shared your contact information. Back in 2019, a researcher found that the source code for some user profiles displayed their contact information when loaded in a web browser, affecting both private accounts and those of minors.
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
