Instagram denies data leak of 17.5 million accounts and stops password reset email wave

Published 14-01-2026 Views: 51 Rating: 0 Min to Read: 3 min
Iryna Pashchenko
Iryna Pashchenko
Lb

Table of Contents:

What happened

Over the weekend, Instagram users across multiple countries reported receiving password reset emails they never requested. The situation quickly escalated after claims appeared online suggesting that data from 17.5 million accounts was allegedly being sold on dark web marketplaces. Instagram responded by stating that no breach had occurred and confirmed that the unexpected email wave had already been stopped.

Official explanation

According to Instagram, the incident was caused by an abuse of the account recovery mechanism. A third party was able to trigger password reset emails for certain users without gaining access to the accounts themselves. The company emphasized that no passwords were compromised and no internal systems were breached. The vulnerability that allowed mass email triggering has since been closed, and users were advised to ignore reset emails if they did not initiate a request.

Why this caused concern

Cybersecurity researchers note that such incidents often coincide with broader data misuse campaigns. Malwarebytes linked the email wave to a dataset allegedly containing usernames, email addresses, phone numbers, and other metadata. While Instagram rejected claims of a confirmed leak, experts pointed out that similar datasets are frequently recycled or aggregated from older incidents.

Relevant statistics

  • According to IBM’s Cost of a Data Breach Report 2024, phishing and credential abuse account for over 36% of all security incidents.

  • Verizon’s DBIR 2024 reports that 74% of breaches involve the human element, including social engineering and phishing.

  • Meta disclosed that Instagram blocks millions of automated abuse attempts daily, highlighting the scale of constant attack pressure.

How users can protect themselves

Security specialists recommend enabling two-factor authentication, using a unique password, and regularly reviewing active sessions via the Accounts Center. Most importantly, users should avoid clicking links in unexpected emails and instead access Instagram directly through the official app or website.

Even without a confirmed breach, mass password reset emails are often used as a phishing hook. Awareness and basic security hygiene remain the most effective defense.

Subscribe to our Telegram

Be the first to know about news
and discounts

Go to Telegram channel

Leave a Comment

Comments

No comments yet. Be the first to comment!

You may also like

How Does MadBid Work? Is it Safe?

How Does MadBid Work? Is it Safe?

24-01-2014

| Views: 0 | Reading time: 5 min

Read →
Instagram Advertising: How It Works, Who It’s For, and Why It’s More Than Just a Trend

Instagram Advertising: How It Works, Who It’s For, and Why It’s More Than Just a Trend

21-05-2025

| Views: 1421 | Reading time: 4 min

Read →
The Global YouTube Blockade: Who, When, and Why

The Global YouTube Blockade: Who, When, and Why

16-07-2025

| Views: 2781 | Reading time: 3 min

Read →
Spotify Hits Instagram: Now You Can Hear Tracks in Stories Without Leaving the App

Spotify Hits Instagram: Now You Can Hear Tracks in Stories Without Leaving the App

02-07-2025

| Views: 2041 | Reading time: 2 min

Read →
YouTube and the rise of low-quality AI content in recommendations

YouTube and the rise of low-quality AI content in recommendations

31-12-2025

| Views: 451 | Reading time: 3 min

Read →