Hacker or false alarm? Instagram’s dubious flood of password emails
Thousands of Instagram users are currently receiving password reset emails. Is there a leak of 17.5 million pieces of data or just a technical error? Meta gives the all-clear, but experts advise caution. You have to do this now.
Mysterious flood of reset emails
Last weekend, a wave of emails caused unrest: countless users of the social media platform Instagram reported unsolicited notifications asking them to reset their passwords. The sheer volume of requests quickly raised suspicions that a large-scale compromise of user accounts was underway. The nervousness of users is no coincidence. Shortly before the email wave, a supposedly new data set appeared in relevant hacker forums. As the security company Malwarebytes observed, a user under the pseudonym “Solonik” offered data from around 17.5 million Instagram profiles for sale on January 7, 2026.
Experts therefore quickly established a connection between the data set offered and the mass reset requests. It was reasonable to assume that criminals used the stolen email addresses to automatically trigger the password reset.
Instagram denies security leak
Despite the chain of evidence, the platform operator rejects a system-related break-in. In an official statement on Sunday, Instagram commented on the incidents and stated that no internal security vulnerability had been exploited. They just fixed a bug that allowed an “external party” to trigger these emails en masse.
We fixed an issue that allowed external third parties to request password reset emails for specific people. There was no attack on our systems and your Instagram accounts are safe. You can ignore these emails – please excuse the confusion. Instagram via X/Twitter
The accounts are secure and users can ignore the messages. However, the service failed to provide a detailed explanation of who this external party was or how exactly the mechanism was abused. The technical analysis of the data circulating on the Dark Web (via Bleeping computers) suggests that this is so-called “scraping” – the automated harvesting of information that is publicly available or accessible via interfaces. According to experts, the data structures and specific JSON fields indicate a possible API leak. Although parent company Meta emphasizes that there are no recent API security incidents known to it, the company’s history in this regard is not flawless; In previous years, millions of data records had already been accessed due to similar interface errors.
Phishing danger through data sets
A technical detail is essential for reassurance: According to current knowledge, the leaked data set does not contain any passwords. A direct login by third parties is therefore not possible based on this data alone. Nevertheless, caution is advised. The combination of email addresses, phone numbers and usernames is an ideal breeding ground for targeted social engineering, phishing or “smishing” (phishing via SMS).
Security experts strongly advise you not to click on any links in the unsolicited reset emails. If you want to increase the security of your account, you should activate two-factor authentication (2FA). The use of an authenticator app is preferable to the SMS method, as the latter is more susceptible to SIM swapping attacks.
