Instagram Addresses Surge in Unsolicited Password Reset Requests
Over the weekend, multiple Instagram users reported receiving unexpected password reset emails, raising concerns about a potential security breach. Instagram swiftly responded, confirming that while an external party triggered the requests, its systems remained uncompromised.
In a statement posted on X (formerly Twitter), Instagram acknowledged the issue, stating that the vulnerability allowing the unauthorized reset requests had been resolved. The company assured users that no account data was accessed or exposed, urging recipients to disregard the emails. The method used by the external party to initiate the requests remains unclear.
Cybersecurity outlet CyberInsider suggested a possible connection to a 2024 Instagram API breach, which exposed the personal data including usernames, phone numbers, and email addresses of over 17 million users. Instagram has not yet provided further details on the incident’s origins.
Users who received the unsolicited emails were advised to reset their passwords directly through the app’s security settings. Instagram also encouraged enabling two-factor authentication (2FA) via an authenticator app or SMS for added protection.
The incident drew a playful jab from X’s product head, Nikita Bier, who quipped about the platform’s visibility compared to Instagram’s Threads.
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
"id": "INS1768217370",
"linkid": "instagram",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple users (unspecified '
'number)',
'industry': 'Technology/Social Networking',
'location': 'Global',
'name': 'Instagram',
'size': 'Large (Meta subsidiary)',
'type': 'Social Media Platform'}],
'attack_vector': 'API Exploitation',
'customer_advisories': 'Reset passwords via the app and enable two-factor '
'authentication for added security',
'data_breach': {'number_of_records_exposed': '17 million (if linked to 2024 '
'breach)',
'personally_identifiable_information': 'Usernames, phone '
'numbers, email '
'addresses',
'sensitivity_of_data': 'Personally Identifiable Information '
'(PII)',
'type_of_data_compromised': 'Potential exposure of usernames, '
'phone numbers, email addresses '
'(linked to 2024 API breach)'},
'description': 'Over the weekend, several Instagram users received '
'unsolicited password-reset requests, sparking speculation of '
'a potential hack. Instagram clarified that the requests were '
'triggered by an external party, but no systems were breached. '
'The issue was resolved, and accounts remain secure.',
'impact': {'brand_reputation_impact': 'Minor (speculation of breach)',
'identity_theft_risk': 'Potential (if linked to 2024 API breach)'},
'investigation_status': 'Ongoing (clarification pending from Instagram)',
'lessons_learned': 'Need for stricter API access controls and monitoring for '
'unauthorized password reset requests',
'post_incident_analysis': {'corrective_actions': 'API issue fixed; monitoring '
'for similar incidents',
'root_causes': 'Potential API misconfiguration or '
'exploitation of a prior breach'},
'recommendations': 'Users should ignore unsolicited password reset emails, '
'reset passwords directly via the app, and enable '
'two-factor authentication',
'references': [{'source': 'Instagram (X post)'}, {'source': 'CyberInsider'}],
'response': {'communication_strategy': 'Public statement via X (Twitter)',
'containment_measures': 'Blocked unsolicited password reset '
'requests',
'remediation_measures': 'Fixed API issue allowing external '
'requests'},
'stakeholder_advisories': 'Users advised to ignore unsolicited password reset '
'emails and enable two-factor authentication',
'threat_actor': 'External Party',
'title': 'Unsolicited Instagram Password Reset Requests',
'type': 'Unauthorized Access Attempt',
'vulnerability_exploited': 'Potential 2024 Instagram API breach'}