A woman holds a smartphone displaying the Instagram logo on the loading screen in Chiang Mai, Thailand, April 6, 2021. (Adobe Stock Photo)
January 11, 2026 10:41 AM GMT+03:00
Instagram, one of the world’s most popular social media platforms owned by U.S.-based tech giant Meta, is reportedly facing a major cybersecurity crisis after hackers reportedly got their hands on the personal information of around 17.5 million users.
The leaked data may include usernames, email addresses, phone numbers, and even physical addresses—enough to raise serious privacy concerns.
More to Read
Password reset chaos raises fears of coordinated attack
According to user reports from around the world, the trouble began in the early hours of Jan. 8, when people started receiving password reset emails they hadn’t requested. The messages looked legitimate; they came from Instagram’s official domain, used proper formatting, and featured the familiar branding.
Yet confusion spread quickly as recipients found no record of these emails within the app’s security history and continued to receive them even after changing their passwords manually.
At first, the wave of password reset emails led some to suspect a technical glitch or a misconfigured email system. But as reports multiplied and the pattern became clearer, it pointed to a deliberate and malicious act, possibly affecting 17.5 million accounts, according to cybersecurity firm Malwarebytes.
Cybercriminals are believed to have used the compromised data to trigger legitimate password reset requests, possibly to test which accounts were still active or to attempt unauthorized access.
Screenshot of a legitimate-looking Instagram password reset email that was sent to users on January 8, 2026. (Image via X/@Malwarebytes)
Meta denies breach, blames e-mail trigger bug
CyberInsider, a cybersecurity news outlet, reported that the stolen data is already being sold on the dark web and that the breach may be linked to an unpatched API vulnerability in Instagram from 2024, which could have allowed large-scale data extraction.
However, a Meta spokesperson said that there was no data breach and that Instagram accounts remain secure, the British news outlet Daily Mail reported. The spokesperson explained that the issue was caused by a bug that allowed an external party to trigger password reset emails for some users, adding that the problem has since been fixed.
In the meantime, cybersecurity experts are urging users to take immediate action to protect their accounts. They advise against clicking on any links in unsolicited password reset emails, regardless of how legitimate they may seem.
Instead, users should manually reset their passwords through the Instagram app and activate Two-Factor Authentication (2FA) to add an extra layer of security.
January 11, 2026 10:41 AM GMT+03:00