Instagram Addresses Suspicious Password Reset Emails Amid Data Leak Concerns
On January 11, 2026, Instagram acknowledged a wave of suspicious password reset emails sent to users, clarifying that the issue stemmed from an external party exploiting a flaw to trigger reset requests not a breach of its systems. The company assured users that accounts remained secure and advised ignoring the emails, though the incident sparked confusion and skepticism.
Days earlier, cybersecurity firm Malwarebytes uncovered a separate data leak affecting 17.5 million Instagram users, with stolen information including usernames, phone numbers, email addresses, and physical addresses already being sold on the dark web. While Instagram denied any system compromise, the timing of the two events raised questions among users and security researchers.
The company’s statements on Threads and X drew mixed reactions, with some users expressing doubt over the "no breach" claim, while others welcomed the transparency. The incident underscores ongoing risks tied to third-party access and the importance of monitoring unauthorized account activity.
Source: https://www.gadgetpilipinas.net/2026/01/instagram-says-accounts-are-secure/
Instagram cybersecurity rating report: https://www.rankiteo.com/company/instagram
Malwarebytes cybersecurity rating report: https://www.rankiteo.com/company/malwarebytes
"id": "INSMAL1768209991",
"linkid": "instagram, malwarebytes",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17.5 million users',
'industry': 'Technology/Social Media',
'name': 'Instagram',
'type': 'Social Media Platform'}],
'customer_advisories': 'Ignore suspicious password reset emails and enable '
'two-factor authentication',
'data_breach': {'data_exfiltration': 'Yes (sold on Dark Web)',
'number_of_records_exposed': '17.5 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Usernames',
'Phone numbers',
'Physical addresses',
'Email addresses']},
'date_publicly_disclosed': '2026-01-11',
'description': 'Instagram addressed suspicious password reset emails sent to '
'users, clarifying that there was no breach of its systems. '
'However, Malwarebytes reported a separate data breach '
"involving 17.5 million Instagram users' sensitive information "
'being sold on the Dark Web.',
'impact': {'brand_reputation_impact': 'Mixed responses, some users doubting '
"Instagram's claim of no breach",
'data_compromised': 'Instagram usernames, phone numbers, physical '
'and email addresses',
'identity_theft_risk': 'High'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'recommendations': 'Users should regularly change passwords and enable '
'two-factor authentication',
'references': [{'date_accessed': '2026-01-11',
'source': 'Instagram (via X/Threads)'},
{'source': 'Malwarebytes'}],
'response': {'communication_strategy': 'Public apology and clarification via '
'social media (Threads, X, Instagram)',
'containment_measures': 'Fixed the issue allowing external '
'parties to request password reset '
'emails'},
'title': 'Instagram Password Reset Email Issue and Alleged Data Breach',
'type': ['Data Breach', 'Unauthorized Password Reset Requests']}