If you’ve recently received a bunch of password reset requests from Instagram, you’re not alone. Malwarebytes, an antivirus software company, initially reported that there was a data breach that exposed “sensitive information” of 17.5 million Instagram users. Malwarebytes said the leak included Instagram usernames, physical addresses, phone numbers, email addresses, and more. However, Instagram said there was no breach and that user accounts were “safe”.
In the Malwarebytes post, the company said that “the data is available for sale on the dark web and can be misused by cybercriminals.” Malwarebytes told its customers in an email that it discovered the breach during its routine dark web scan and that it is linked to a possible incident related to the Instagram API exposure from 2024.
As a result of the reported breach, users have received multiple emails from Instagram regarding password reset requests. According to Malwarebytes, the leaked information could lead to more serious attacks like phishing attempts or account takeover. In response, Instagram posted on Twitter that users can ignore recent emails requesting a password reset.
“We fixed an issue that allowed an external party to request a password reset email for some people,” Instagram’s post on X reads. “There was no breach of our systems and your Instagram account is secure.”
While Instagram said it did not have a data breach, its parent company has been in controversy for data breaches in the past. If you haven’t already, it’s always a good idea to turn on two-factor authentication and change your password. Even better, you can review which devices are logged into your Instagram account in Meta’s Account Center.
Updated, Jan. 11, 2026, 11:10am ET: This story and its headline have been updated with Instagram’s statement that was posted on Twitter.
<a href