It's not entirely clear what's the full truth of the matter is, but a wave of Instagram password reset emails is hitting users, which may or may not be related to data tied to roughly 17.5 million accounts for sale online.

The emails exploit growing confusion about a newly surfaced dataset linked to Instagram user information. Though the data lacks passwords, its circulation allows attackers to impersonate legitimate security messages and prompt users to act quickly.

Reports of a large dataset tied to Instagram users triggered waves of unsolicited password reset emails. Meta says the activity reflects abuse of existing systems, not a compromise of its infrastructure.

Instagram accounts are often linked to Apple IDs through shared email addresses. Phishing campaigns frequently pivot from social accounts to iCloud, Apple Pay, or App Store fraud.

Instagram data leak claims and Meta's response

A dataset advertised on criminal forums claims to include information tied to about 17.5 million Instagram accounts. Reported fields include usernames and contact details, with no evidence that passwords were exposed.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.

This data is available for sale on the dark web and can be abused by cybercriminals.

[image or embed]

— Malwarebytes (@malwarebytes.com) January 9, 2026 at 11:34 AM

Around the same time, many users received legitimate-looking Instagram password reset emails they didn't request. Researchers linked the spike to automated abuse rather than confirmed account takeovers.

Instagram insists there was no breach of its internal systems — but this is a refrain we've heard before that hasn't been true. The company attributes the emails to a bug or workflow misuse that allowed third parties to trigger reset requests at scale.

Meta, the owner of Instagram says issue has been fixed. However, recycled data and phishing campaigns can persist for months.

How to spot and avoid Instagram password reset phishing emails on iOS and macOS

Apple users should ignore password reset emails they did not initiate, even if the messages appear authentic. Legitimate reset emails do not require immediate action, and attackers rely on urgency to prompt clicks.

If you're concerned, open the Instagram app directly and review security settings there. Avoid using links from emails, and be cautious of follow-up messages that reference account locks or policy violations.

Enabling two-factor authentication with an authenticator app adds protection across iOS and macOS.

  1. Open Instagram.
  2. Go to your profile.
  3. Tap the menu icon.
  4. Select Settings and privacy.
  5. Open Accounts Center.
  6. Tap Password and security.
  7. Select Two-factor authentication.
  8. Choose your account.
  9. Select an authenticator app.
  10. Follow the prompts.
  11. Save backup codes.

The broader risk remains phishing, not compromised passwords. Recognizing unsolicited security emails is still the most effective defense.