Skip to main content

PSA: Instagram password reset emails should be ignored

Avatar for Ben Lovejoy  | Jan 12 2026 - 6:28 am PT
3 Comments
Instagram password reset emails (example shown) should be ignored

If you’ve received an Instagram password reset email, claiming that you requested it, you should ignore it.

Malwarebytes reports that cybercriminals stole Instagram account details for 17.5 million users, but the social network claims that there was no security breach …

Many Instagram users have been reporting receiving Instagram password reset emails, stating that Meta received a request to reset the password.

Exactly what has happened isn’t entirely clear at this stage. Malwarebytes reports that cybercriminals stole account details for 17.5 million Instagram users.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. This data is available for sale on the dark web and can be abused by cybercriminals.

Engadget says the security company attributes this to an Instagram API vulnerability.

Malwarebytes noted in an email to its customers that it discovered the breach during its routine dark web scan and that it’s tied to a potential incident related to an Instagram API exposure from 2024.

Instagram says there has been no data breach.

We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.

9to5Mac’s Take

It seems likely that Malwarebytes is correct in its analysis of what happened, whilst Meta is technically correct that it wasn’t a data breach, since using an API provided by the company doesn’t constitute one in the strictest sense of the term, even if the API was misused.

Either way, the company’s advice applies: just ignore any password reset emails you receive. However, you should be especially alert to phishing attacks in which things like your Instagram username and email may be used to try to fool you into thinking it comes from Meta.

Image: 9to5Mac/Malwarebytes/Luke Chesser on Unsplash

Add 9to5Mac as a preferred source on Google Add 9to5Mac as a preferred source on Google

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Apps

Apps

Lead the curve on tomorrow’s iOS and Mac app h…
Instagram

Instagram

Instagram is a social media service owned by Fac…
Security

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear

Dell 49-inch curved monitor

Dell 49-inch curved monitor