Instagram has stated that its systems were not breached and that recent password reset emails some users received were triggered by an external party abusing a now-fixed issue.
The company says user accounts remain secure and that the unexpected reset emails can be safely ignored.
The clarification follows reports of a large-scale Instagram data leak in which details of roughly 17.5 million accounts were advertised on cybercrime forums.
That dataset, reportedly scraped in 2024, contained usernames, email addresses, phone numbers, and partial location data, fuelling fears of account takeovers and targeted phishing attacks.
In a brief public statement, Instagram said it had “fixed an issue that let an external party request password reset emails for some people.” The platform stressed that there was “no breach of our systems” and assured users that their Instagram accounts “are secure,” directly countering speculation that attackers had gained internal access.
According to Instagram, the flaw allowed unknown parties to trigger legitimate password reset emails without having compromised the affected accounts.
While this behavior was alarming for users, the company indicates it did not give attackers the ability to change passwords or log in; rather, it was used to spam reset prompts as a problem or social engineering vector.
Instagram’s message instructs users that they can ignore any unsolicited password reset emails that arrived during this period.
Even so, security professionals recommend enabling two-factor authentication, using unique passwords, and remaining cautious of phishing messages that reference recent security news to appear more convincing.
The timing of the reset email issue, alongside the appearance of the 17.5 million–record dataset on dark web markets, has raised questions about whether scrapers or threat actors used exposed contact data to target specific users.
While Instagram maintains its core infrastructure was not compromised, experts say the incident highlights how large-scale data scraping and minor platform flaws can combine to create serious perception and security risks for social media users.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
