Instagram denies data leak amid password reset email complaints

Instagram has denied claims of a data breach after numerous users reported receiving unexpected password reset emails, raising concerns about a possible security incident.

The development came after a post on Bluesky by cybersecurity firm Malwarebytes, which shared a screenshot of what appeared to be a legitimate Instagram password reset email.

The post claimed that sensitive information from 17.5 million Instagram accounts had been stolen and was allegedly being sold on the dark web.

According to the claim, the exposed data included usernames, email addresses, phone numbers, and even physical locations, potentially putting affected users at risk of cybercrime.

Instagram later responded on X (formerly Twitter), stating that it had not been breached. Instead, the company said it had fixed an issue that allowed an external party to trigger password reset emails for some users.

The company also added that users could safely ignore the emails and apologised for the confusion, without providing further technical details.

Following the reports, many users claimed that they received password reset messages from Instagram’s official security email despite not requesting them.

While the emails appeared authentic, the sudden surge caused alarm across the platform.

Security researchers have suggested that the activity could be linked to previously leaked data being used to initiate automated reset requests or mask phishing attempts.