Over the past few days, many Instagram users have reported receiving emails asking them to reset their passwords. The emails appear legitimate at first glance, which has raised concerns over whether they are real security notices or part of a wider phishing attempt.
The situation gained attention after cybersecurity firm Malwarebytes reported claims that personal data linked to at least 17.5 million Instagram users had surfaced on the dark web. The data allegedly included usernames, email addresses, phone numbers and partial physical addresses. While the claims triggered alarm online, Instagram has since stated that there was no data breach affecting its systems.
Despite this, the timing of the emails caused confusion. Some users said the messages looked authentic, including the sender’s email domain, making it difficult to tell whether the request actually came from Instagram.
Users can check directly within the Instagram app. By going to Settings, then Password and Security, and scrolling down to Recent Emails, Instagram will display a list of security-related emails that were genuinely sent to the account. If the password reset email appears there, it is legitimate. If it does not, users are advised to ignore the message entirely.
Instagram acknowledged the confusion and said the issue stemmed from a bug that allowed external parties to trigger password reset emails for some users. In a post on X on 11 January, the company said the issue has since been fixed and confirmed that no security breach occurred.
Instagram also reassured users that affected accounts remain secure and that the emails can be safely ignored. As a precaution, users are encouraged to strengthen their account security by enabling two-factor authentication within the app.
