Instagram says it fixed the issue behind shady password reset emails
Days after numerous users reported suspicious password reset emails, Instagram says it has fixed the issue.
Unsplash
Over the past few days, numerous Instagram users received an email regarding a password reset request. Around the same time, it was reported that cybercriminals had scraped the personal data of over 17 million users and that recent password reset phishing emails were linked to it. Well, Instagram says it has fixed the issue, while denying any data breach.
What happened?
Numerous users on X, including HaveIBeenPwned founder Troy Hunt, and Reddit shared screenshots of a suspicious Instagram password reset email in their inbox. Separately, cybersecurity firm Malwarebytes shared that hackers stole personal details of millions of users, and the data (which includes usernames, physical addresses, phone numbers, and email addresses) was listed for sale on the dark web.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026
Instagram says it has fixed the issue and that users can conveniently ignore those emails. “We fixed an issue that let an external party request password reset emails for some people,” the company shared on X. Additionally, the company denied any instance of a data breach that may have exposed personal data of users.
However, we recommend that you go ahead and change the Instagram password from within the app’s accounts center, especially if you haven’t set up two-step authentication for login.
How to stay safe?
Scammers often impersonate businesses or even support executives to lure users into sharing their personal information. The recent wave of password reset emails that was sent to Instagram users is one such strategy. The links shared in such emails often lead users to pages where hackers either spoof a legitimate webpage or have set up other digital traps to extract sensitive information such as login credentials, credit card details, and more.
The first course of action is to check the sender’s email address and carefully look for any weird spelling mistakes. It’s best to verify these email addresses against the official support page of a company or service. Second, look for a blue checkmark against the email. Legitimate businesses, including Instagram, use such checkmarks next to the email address.
As a standard rule, never click on any links or buttons in such password emails unless you are sure about the sender’s identity. Also, make sure your accounts are protected by multi-factor or two-factor authentication. Using passkeys is one of the most convenient and safest options, as it locks identity verification behind biometric checks, such as face and fingerprint unlock.
Nadeem is a technology and science reporter at Digital Trends.
This Chrome extension makes it easier to trust your X feed
No more tapping into profiles just to see where someone’s “based in.”
What’s happened? X has recently added a “Based in” field that allows you to view the location of someone’s profile. Following that, RhysSullivan, an independent developer, has created a Chrome extension that takes those profile tags and shows them as tiny national flags directly in the feed, so there’s no need to open a profile to see an account’s country. The extension does this by calling X’s own API endpoints from the browser context while you’re logged in.
The extension identifies usernames on a feed page, then calls X’s GraphQL AboutAccountQuery to request the account_based_in field.
Check this new social app which lets you spoil your favourite TV shows and books
Do you want a safe place to spoil that episode? Phictly lets you and your friends pick the pace
What Happened: Remember how the internet used to feel?
That vibe of finding a tiny corner where people were just as obsessed with a show as you were?
Lawsuit claims Meta stopped research showing users felt better after leaving Facebook
Court filing alleges Meta hid findings that Facebook breaks improved user well-being
What Happened: Meta is back in the hot seat, and this time it’s over allegations that it buried its own research about Facebook’s impact on mental health.
A new, unredacted legal filing just hit the public eye, and it claims that back in 2019, Meta launched an internal study called Project Mercury.
