Instagram is pushing back against swirling breach rumors after some users reported receiving unexpected, suspicious-looking password reset emails. The company says Instagram has not been hacked, and that no account database was stolen—even though the sudden wave of reset requests sparked fears of a major Instagram data leak.
The concern gained traction after antivirus firm Malwarebytes shared a screenshot of an Instagram email notifying users about a password reset request. Alongside that image, the company warned that cybercriminals had allegedly taken sensitive data from 17.5 million Instagram accounts. The claim suggested the stolen information could include usernames and personal contact details such as physical addresses, phone numbers, and email addresses, and that the data was supposedly being sold on the dark web for potential misuse by criminals.
Instagram later responded publicly to address the situation. Rather than confirming any intrusion, the company said it had identified and fixed an issue that allowed an outside party to trigger password reset emails for certain users. Instagram didn’t explain who the outside party was or exactly how the problem worked, but its message was clear: users who received those password reset emails can ignore them, and the company apologized for the confusion.
What this means for users is that a password reset email doesn’t automatically equal a hacked account. In this case, Instagram’s explanation points to an abuse of the password reset request process—not a breach of Instagram systems or a mass theft of user data.
If you received an Instagram password reset email you didn’t request, the safest approach is to avoid clicking anything inside the message and instead open Instagram directly through the official app or website to review your security settings. Turning on two-factor authentication and using a unique, strong password can also help protect your account from unauthorized access attempts.
