Instagram has clarified that its internal systems were not compromised following reports of unexpected password reset emails sent to users. The company confirmed that the incident was caused by an external party abusing a now resolved issue, and emphasized that user accounts remain secure.
Clarification Following Data Leak Reports
The statement comes after widespread discussion of a dataset advertising details linked to approximately 17.5 million Instagram accounts on cybercrime forums. The data, reportedly scraped during 2024, included usernames, email addresses, phone numbers, and partial location information. These reports raised concerns about potential account takeovers and targeted phishing campaigns.
In response, Instagram issued a brief public clarification stating that it had “fixed an issue that let an external party request password reset emails for some people.” The company stressed that there was no breach of its systems and directly rejected claims that attackers had gained internal access.
What Actually Happened
According to Instagram, the flaw allowed unknown actors to trigger legitimate password reset emails without accessing or compromising the actual accounts. While the emails appeared authentic and caused alarm among users, the company stated that attackers were not able to change passwords or log in to accounts.
Instead, the issue appears to have been used primarily to spam password reset prompts, potentially as a social engineering tactic designed to confuse or pressure users.
Instagram advised users that any unsolicited password reset emails received during this period can be safely ignored.
Security Recommendations for Users
Although Instagram maintains that accounts remain secure, cybersecurity professionals continue to recommend basic protective measures. These include enabling two factor authentication, using strong and unique passwords, and staying alert to phishing messages that reference recent security incidents to appear more convincing.
The overlap between the reset email issue and the circulation of scraped account data has led to speculation that exposed contact details may have been used to target specific users. However, Instagram reiterated that its core infrastructure was not breached.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
