Instagram has said it has fixed an issue that allowed an external party to trigger password reset emails for some users, denying reports of a breach of its systems. The clarification comes amid a wave of posts online claiming that personal details linked to millions of Instagram accounts had been leaked. Some users reported receiving genuine password reset notifications they did not request, fuelling concerns of hacking. However, Instagram says the incident was linked to an abuse of its password reset process and does not indicate account compromise.
Reset Email Glitch, Not A Hack
In a statement shared with users, Instagram said the issue enabled an outside actor to request password reset emails for certain accounts, creating the impression that profiles were under attack. The company stressed that its systems were not breached and that accounts remain secure.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026
Security experts note that such behaviour can occur when bad actors repeatedly enter usernames or email addresses into the “Forgot password” option, prompting automated reset emails. While this does not give criminals direct access to accounts, it can cause panic and increase the risk of phishing, where users are tricked into clicking fake reset links.
Instagram advised affected users to ignore unexpected password reset emails and apologised for the confusion. It also said the loophole has been addressed.
Viral Breach Claims Trigger Panic
The reset-email surge coincided with online reports suggesting that the personal information of 17.5 million users had been exposed, with claims that details such as usernames, email addresses, phone numbers and physical locations were circulating on the dark web.
An Instagram data breach reportedly exposed the personal information of 17.5 million users.
The leak includes usernames, email addresses, phone numbers and more. pic.twitter.com/pdmztaJXJQ
— Pop Crave (@PopCrave) January 10, 2026
However, Instagram’s denial has complicated the narrative. Cybersecurity observers often caution that “breach” claims can sometimes involve older scraped datasets being reshared, repackaged or combined with information from unrelated leaks-making it appear as though a platform has been directly hacked when it has not.
Instagram breach exposes personal data of 17.5 million accounts
The stolen data includes usernames, email addresses, phone numbers, physical addresses, etc. and is already available on the dark web, with some users receiving real Instagram password reset notifications. pic.twitter.com/JXJ2Xwm3Hg
— Timeless Martian (@TimelessMartian) January 10, 2026
Users are being urged to take precautions regardless of the cause of the scare, including enabling two-factor authentication, changing passwords via the Instagram app rather than email links, reviewing active login sessions, and tightening security on linked email accounts.
