Instagram users across the platform received unexpected password reset emails over the weekend, triggering widespread alarm about a potential security breach. The unsolicited requests arrived in inboxes without warning, and according to Malwarebytes, 17.5 million users are affected.
Social media exploded with speculation that Instagram had been hacked, with users questioning whether their accounts and personal information had been compromised. Instagram has since responded to the concerns, clarifying that no data breach occurred and that the issue has been resolved.
The company confirmed an "external party" triggered the password reset requests but maintained its systems were never breached and accounts remain secure. Questions still remain, however, about how email addresses were used to generate these requests and what users should do to protect themselves.
Here's what happened, what Instagram is saying, and how to secure your account regardless of whether you received the suspicious emails.
Avoid clicking on this email
If you received a password reset email like this one, don't click any links or buttons inside it, even if it looks legitimate.
These emails can lead to phishing sites designed to steal your login credentials. Attackers create fake Instagram login pages that look identical to the real thing, and once you enter your password on these fake sites, they immediately capture it.
Even if the email came from Instagram legitimately during this incident, clicking links in unsolicited emails trains you to trust unexpected communications, making you more vulnerable to future phishing attempts.
What Instagram says happened
Instagram posted on X stating that it "fixed an issue that let an external party request password reset emails for some people." The company emphasized that "there was no breach of our systems and your Instagram accounts are secure," advising users to simply ignore the emails.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.January 11, 2026
However, Instagram didn't explain how an external party managed to trigger password reset requests without accessing Instagram's systems.
Some outlets, such as CyberInsider, have suggested the incident may be connected to a 2024 Instagram API breach that leaked data from over 17 million users — including usernames, phone numbers, and email addresses.
If this leaked data was used to trigger password resets, it would explain how an external party could initiate requests without directly hacking Instagram. Instagram hasn't confirmed or denied this connection.
How to change your Instagram password
Regardless of whether this incident directly affected you, changing your Instagram password is smart security practice, especially if you haven't updated it recently.
Don't click any links in password reset emails — instead, change your password directly through the Instagram app by following the steps below.
Step 1)
Open Instagram and go to Settings and activity by tapping the three lines in the top right corner.
Step 2)
Tap Accounts Center, then select Password and security.
Step 3)
Tap Change password and choose your Instagram account if you have multiple accounts linked
Step 4)
Enter your current password, then create a new strong password. Use a combination of letters, numbers, and symbols that you don't use for other accounts. Avoid using personal information like birthdays or names that could be guessed.
After changing your password, you'll be logged out of all devices and will need to sign back in.
Set up two-factor authentication immediately
Two-factor authentication (2FA) is the most important security measure you can enable. With 2FA active, no one can access your account with just your password — they'll also need an authentication code.
Go to Settings and activity, Accounts Center, Password and security, and Two-factor authentication. Then simply select your Instagram username and choose your authentication method.
Authenticator apps (like Google Authenticator or Authy) are more secure than SMS since phone numbers can be hijacked, but SMS is better than nothing. Once enabled, anyone logging in from an unrecognized device will need both your password and the authentication code.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
