Millions of Instagram users around the world have reported receiving unexpected password reset emails that appear to come from Instagram’s official security address, sparking concerns about a possible data breach and the misuse of personal information.
Cybersecurity firm Malwarebytes has connected the spike in reset emails to a previously exposed dataset containing details of around 17.5 million Instagram accounts. Hackers originally scraped the data through an API vulnerability in late 2024, and the information has reportedly resurfaced on dark web forums in recent days.
Security analysts say the leaked data includes usernames, email addresses, phone numbers, and partial physical addresses—information that attackers could use for phishing, impersonation, or credential-harvesting schemes.
Several cybersecurity monitoring platforms noted that the emails closely match Instagram’s official formatting and appear to originate from verified domains such as @mail.instagram.com. However, experts believe the unusual volume and timing of the messages point to a connection with the reappearance of the leaked data rather than legitimate password reset requests from users.
Social media users and technology websites have also reported that, despite the emails looking authentic and carrying valid headers, many recipients found no record of any password reset request in their account activity or security logs.
The emails inform users that someone has requested a password reset and offer two options: proceed with changing the password or report the request as unauthorised. The message reassures recipients that their password will remain unchanged if they take no action.
