Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
If you’ve received a lot of password reset requests from Instagram recently, you’re not alone. Malwarebytesan antivirus software company, initially reported that there had been a data breach revealing the “sensitive information” of 17.5 million Instagram users. Malwarebytes added that the leak included Instagram usernames, physical addresses, phone numbers, email addresses and more. However, Instagram said there were no violations and that user accounts were “secure.”
In a Malwarebytes post, the company added that “the data is available for sale on the dark web and can be used by cybercriminals.” Malwarebytes said in an email to customers that it discovered the flaw during its routine scanning of the dark web and that it was linked to a potential incident related to Instagram API exposure starting in 2024.
The reported violation allowed users to receive several emails from Instagram about password reset requests. According to Malwarebytes, the leaked information could lead to more serious attacks, such as phishing attempts or account takeovers. In response, Instagram posted on X that users can ignore recent emails requesting a password reset.
“We fixed an issue that allowed an external party to request password reset emails for certain individuals,” read Instagram’s post on X. “There was no breach of our systems and your Instagram accounts are secure.”
Even though Instagram said it wasn’t a data breach, its parent company has been in hot water since data breaches in the past. If you haven’t already, it’s always a good idea to enable two-factor authentication and change your password. Better yet, you can check which devices are connected to your Instagram account in Meta’s Account Center.
Updated, January 11, 2026, 11:10 a.m. ET: This story and its headline have been updated with Instagram’s statement posted on X.
