Thousands of Instagram users were caught off guard this week after receiving emails urging them to reset their account passwords. The messages triggered concern and speculation about a potential security breach, but the platform has moved to clarify the situation.
Instagram said the incident was caused by a flaw that allowed an “external party” to send legitimate password reset requests on behalf of the company. The social media platform stressed that its internal systems were not compromised and that all user accounts remain secure.
“We fixed an issue that let an external party request password reset emails for some people,” Instagram said. “There was no breach of our systems.”
Despite the reassurance, many users voiced worry on social media, unsure whether the emails were genuine or part of a phishing attempt aimed at stealing personal information. The messages appeared to come from Instagram itself, which only added to the confusion.
Cybersecurity company Malwarebytes has disputed Instagram’s explanation.
In a post on X, it claimed, “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” and included a screenshot of a password reset email.
Malwarebytes told the BBC it believes the emails are tied to a sale of private data on a hacker forum, where someone has offered the personal details of 17.5 million users.
The seller said the information came from a “leak” in 2024, though some experts suggest the data could be older, collected from publicly visible sources as far back as 2022.
The conflicting statements have left users uncertain who to trust. Instagram has not responded to requests for further explanation about the identity of the external party or how it gained the ability to trigger legitimate reset emails.
Some users worried the emails might be scams, but investigations showed that the links were not malicious. The password reset process itself appeared to function normally.
Security experts still recommend that users avoid following email links and instead go directly to the official app or website to change passwords and enable extra security measures.
